> 1. Do these private address increase security in any way? No. (If you're blocking source-routing, you've got a firewall already, and *that* is doing all of the security - the NAT just gives you the merge-nightmare you're having now, it doesn't actually make anything more secure.)
> 2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any You *hope*. I've seen enough sites "leak" addresses that I can't take this argument seriously :-) > 3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm The idea is since these blocks are *reserved* and have no legitimate use on the open net (anymore - 10/8 used to be the ARPAnet...) it is a legitimate hack/safety-belt for an ISP to filter them out and not propagate them to the world, as additional protection against the "leak" screwup I mentioned in (2). In practice, at least one of the net 10 leaks out there today *is* an ISP, sigh... > 4. (possibly redundant) Does using a non-private IP behind a NAT break > anything? (besides actually getting to real 11.x.x.x) That should be discouragement enough. Add in the possibility that you get it wrong some how (for example, if you *ever* take a BGP feed because you're multi-homing and don't filter it carefully, your routers may decide that all of your internal traffic *does* go over these nice 11/8 routes the DODIIS is handing you...) > The reason I'm asking, is the amount of labor involved in becoming > compliant. Yep, this (merging with another NAT site) is one of the reasons that "NAT saves us from renumbering" is an outright lie. This specific case happens a lot more than you'd expect (one of the big auto vendors helped push some of the ipv6 autoconfig stuff specifically because they ran into this problem more than once :-)
