On Tue, 30 May 2000, Ray Olszewski wrote: > At 02:02 PM 5/30/00 -0600, Mullins, Ron wrote: > >I know that if you are using NAT, you are supposed to use the private: > > > >10.0.0.0 - 10.255.255.255 > >172.16.0.0 - 172.31.255.255 > >192.168.0.0 - 192.268.255.255 > > > >These are said to be "non-routing". My problem is my current employer uses a > >11.x.x.x (parent company used 10.x.x.x). So I have the following questions: > > > >1. Do these private address increase security in any way? > > Compared to what? Using NAT behind a firewall increases security enormously. > Using the "wrong" addresses with NAT doesn't worsen the security issues in > any way that I know of (at least not when using Linux-based firewalls; who > knows what proprietary routers might do with them?). > > >2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any > >reason to switch, other than recommended convention? > > Yes. The reason you yourself suggest in question 4. I don't have a quick way > to check if any addresses in 11.0.0.0/8 are actually in use, though.
checking by the use of ipw (IP whois, available at: http://mjhb.marina-del-rey.ca.us/cgi-bin/ipw.pl): it says it's owned by the US Mil: DoD Intel Information Systems Defense Intelligence Agency NetName: DODIIS Netblock: 11.0.0.0 - 11.255.255.255 > > >3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm > >talking glasses. I haven't seen anything other than "you should..." in the > >HOWTOs. > > By convention, they will never be assigned to any location as their public > addresses. Hence, all private networks can use them as they see fit (subject > to NAT'ing them for public connections), without interfering with their > access to the public address space of the Internet. > > They are not "non-routing" in any technical sense. I route all the time, for > example, between 192.168.123.0/24 and 192.168.124.0/24 within my private > LAN. The Linux router I have on that connection routes just fine. But if I > sent these addresses out (unMasq'd) to my ISP, they wouldn't get far; I > expect my ISP's routers would block them, if I didn't. > > >4. (possibly redundant) Does using a non-private IP behind a NAT break > >anything? (besides actually getting to real 11.x.x.x) > > Not that I know of. But the parenthetical really is a big deal, not a minor > consideration. > > ------------------------------------"Never tell me the odds!"--- > Ray Olszewski -- Han Solo > Palo Alto, CA [EMAIL PROTECTED] > ---------------------------------------------------------------- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > ------------------------------------- New things are always on the horizon.
