Re: Non-routing IP addresses

To: "Mullins, Ron" <rmullins@DigiTerra-Inc.com>, "Debian firewall mailing list \(E-mail\)" <debian-firewall@lists.debian.org>
Subject: Re: Non-routing IP addresses
From: Ray Olszewski <ray@comarre.com>
Date: Tue, 30 May 2000 13:40:45 -0700
Message-id: <2.2.32.20000530204045.0097bf00@[192.168.1.23]>

At 02:02 PM 5/30/00 -0600, Mullins, Ron wrote:
>I know that if you are using NAT, you are supposed to use the private:
>
>10.0.0.0    - 10.255.255.255
>172.16.0.0  - 172.31.255.255
>192.168.0.0 - 192.268.255.255
>
>These are said to be "non-routing". My problem is my current employer uses a
>11.x.x.x (parent company used 10.x.x.x). So I have the following questions:
>
>1. Do these private address increase security in any way?

Compared to what? Using NAT behind a firewall increases security enormously.
Using the "wrong" addresses with NAT doesn't worsen the security issues in
any way that I know of (at least not when using Linux-based firewalls; who
knows what proprietary routers might do with them?).

>2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any
>reason to switch, other than recommended convention?

Yes. The reason you yourself suggest in question 4. I don't have a quick way
to check if any addresses in 11.0.0.0/8 are actually in use, though.

>3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm
>talking glasses. I haven't seen anything other than "you should..." in the
>HOWTOs.

By convention, they will never be assigned to any location as their public
addresses. Hence, all private networks can use them as they see fit (subject
to NAT'ing them for public connections), without interfering with their
access to the public address space of the Internet.

They are not "non-routing" in any technical sense. I route all the time, for
example, between 192.168.123.0/24 and 192.168.124.0/24 within my private
LAN. The Linux router I have on that connection routes just fine. But if I
sent these addresses out (unMasq'd) to my ISP, they wouldn't get far; I
expect my ISP's routers would block them, if I didn't.

>4. (possibly redundant) Does using a non-private IP behind a NAT break
>anything? (besides actually getting to real 11.x.x.x)

Not that I know of. But the parenthetical really is a big deal, not a minor
consideration.

------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        
----------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Non-routing IP addresses
  - From: Damon Buckwalter <damon@meta-x.net>
- Re: Non-routing IP addresses
  - From: "L. Besselink" <leen@poindexter.wirehub.nl>

Prev by Date: Non-routing IP addresses
Next by Date: Re: Basic info on ports/services
Previous by thread: Re: Non-routing IP addresses
Next by thread: Re: Non-routing IP addresses
Index(es):
- Date
- Thread