>Really? So you wouldn't recommend using RFC 1918 addressing in a transient
>network, say, for a customer (end user) production network, as a means of
>securing the routers/switches that transport the data? The servers used
>direct server return (http://www.foundrynet.com/genFaqDSR.html), and didn't
>incur the performance penalty usually associated with NAT...
I'm not sure what you mean by a transient network.
But if the hosts on that network connect to the Internet, they should:
1. Tunnel to endpoints using private address space (i.e., you are
building a VPN)
2. Use registered address space
3. Use private address space and NAT on the proivider side.
It concerns me, however, that private address space, without being
discussed along with explicit filtering and other complementary
security mechanisms, can be thought of as adding any reliable level
of security. Yes, you may not be reachable in the global Internet.
But without other controls, you might be quite accessible from other
customers of the same providers.
Private addressing does have a place, and a good one. But it
shouldn't EVER appear, IMNSHO, in ANY global Internet communications,
whether those are the sources of packets or simply traceroute
results. Too many operational and security implications.
I don't think use of RFC 1918 for any form of Internet connectivity
can be consistent with RFC 2828 and related anti-hacking measures.
>
>I've built several networks using this type addressing scheme, in
>conjunction with the use of OSPF and haven't had any problems... I realize
>that this is not the same class of network (ISP), but it was a design used
>for several e-commerce sites...
>
>I would just like to know other peoples' opinion on this practice,
>especially yours, Howard... :)
>
>Thanks
>Brant I. Stevens
>Internetwork Solutions Engineer
>Thrupoint, Inc.
>545 Fifth Avenue, 14th Floor
>New York, NY. 10017
>646-562-6540
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Howard C. Berkowitz
>Sent: Sunday, February 25, 2001 6:32 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Private Internet Addressing
>
>
>This remains a continuing thread on NANOG.
>
>My personal view is that the world has certain ISPs, such as cais.net
>DSL and apparently US West in your example, that exist for the same
>reason as do warthogs: to make roses even more beautiful.
>
>Several major ISPs have this pernicious practice, which confuses
>traceroute (in several ways), reverse DNS, and MTU path discovery.
>They are ISPs with significant allocations of address space and
>should be able to get more.
>
>I personally believe that anyone that uses private address space in a
>path where public traffic will EVER route through one of the
>addresses, is, at best, being irresponsible. Sort of like looking
>for the gas leak with a lighted match.
>
>
>>I did a traceroute to one of US West's customers... got some
>>interesting results:
>>
>>13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net
>>[206.80.192.253]
>>14 1016 ms 151 ms 975 ms 207.224.191.2
>>15 233 ms 124 ms 123 ms 192.168.8.1
>>16 151 ms 179 ms 123 ms 192.168.100.147
>>17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net
>>[130.13.102.120]
>>
>>RFC 1918 - "Address Allocation for Private Internets" indicates
>>192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved
>>for private internets. Hops 15 and 16 in my traceroute show that
>>addresses within this range are being used publically.
>>
>>Did I miss something? Have the "for private use only" IP addresses
>>now been given the green light to be used within the internet?
>>
>> -- Leigh Anne
>>
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]