[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Non-routing IP addresses

On Tue, 30 May 2000, Ray Olszewski wrote:

> At 02:02 PM 5/30/00 -0600, Mullins, Ron wrote:
> >I know that if you are using NAT, you are supposed to use the private:
> >
> >    -
> >  -
> > -
> >
> >These are said to be "non-routing". My problem is my current employer uses a
> >11.x.x.x (parent company used 10.x.x.x). So I have the following questions:
> >
> >1. Do these private address increase security in any way?
> Compared to what? Using NAT behind a firewall increases security enormously.
> Using the "wrong" addresses with NAT doesn't worsen the security issues in
> any way that I know of (at least not when using Linux-based firewalls; who
> knows what proprietary routers might do with them?).
> >2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any
> >reason to switch, other than recommended convention?
> Yes. The reason you yourself suggest in question 4. I don't have a quick way
> to check if any addresses in are actually in use, though.

checking by the use of ipw
(IP whois, available at: http://mjhb.marina-del-rey.ca.us/cgi-bin/ipw.pl):

it says it's owned by the US Mil:
DoD Intel Information Systems
	Defense Intelligence Agency

Netblock: -

> >3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm
> >talking glasses. I haven't seen anything other than "you should..." in the
> >HOWTOs.
> By convention, they will never be assigned to any location as their public
> addresses. Hence, all private networks can use them as they see fit (subject
> to NAT'ing them for public connections), without interfering with their
> access to the public address space of the Internet.
> They are not "non-routing" in any technical sense. I route all the time, for
> example, between and within my private
> LAN. The Linux router I have on that connection routes just fine. But if I
> sent these addresses out (unMasq'd) to my ISP, they wouldn't get far; I
> expect my ISP's routers would block them, if I didn't.
> >4. (possibly redundant) Does using a non-private IP behind a NAT break
> >anything? (besides actually getting to real 11.x.x.x)
> Not that I know of. But the parenthetical really is a big deal, not a minor
> consideration.
> ------------------------------------"Never tell me the odds!"---
> Ray Olszewski                                        -- Han Solo
> Palo Alto, CA           	 	         ray@comarre.com        
> ----------------------------------------------------------------
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

New things are always on the horizon.

Reply to: