Re: Non-routing IP addresses

To: Ray Olszewski <ray@comarre.com>
Cc: "Mullins, Ron" <rmullins@DigiTerra-Inc.com>, "Debian firewall mailing list \(E-mail\)" <debian-firewall@lists.debian.org>
Subject: Re: Non-routing IP addresses
From: "L. Besselink" <leen@poindexter.wirehub.nl>
Date: Tue, 30 May 2000 23:53:42 +0200 (CEST)
Message-id: <[🔎] Pine.BSF.4.21.0005302346450.62832-100000@poindexter.wirehub.nl>
In-reply-to: <2.2.32.20000530204045.0097bf00@[192.168.1.23]>

On Tue, 30 May 2000, Ray Olszewski wrote:

> At 02:02 PM 5/30/00 -0600, Mullins, Ron wrote:
> >I know that if you are using NAT, you are supposed to use the private:
> >
> >10.0.0.0    - 10.255.255.255
> >172.16.0.0  - 172.31.255.255
> >192.168.0.0 - 192.268.255.255
> >
> >These are said to be "non-routing". My problem is my current employer uses a
> >11.x.x.x (parent company used 10.x.x.x). So I have the following questions:
> >
> >1. Do these private address increase security in any way?
> 
> Compared to what? Using NAT behind a firewall increases security enormously.
> Using the "wrong" addresses with NAT doesn't worsen the security issues in
> any way that I know of (at least not when using Linux-based firewalls; who
> knows what proprietary routers might do with them?).
> 
> >2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any
> >reason to switch, other than recommended convention?
> 
> Yes. The reason you yourself suggest in question 4. I don't have a quick way
> to check if any addresses in 11.0.0.0/8 are actually in use, though.

checking by the use of ipw
(IP whois, available at: http://mjhb.marina-del-rey.ca.us/cgi-bin/ipw.pl):

it says it's owned by the US Mil:
DoD Intel Information Systems
	Defense Intelligence Agency

NetName: DODIIS
Netblock: 11.0.0.0 - 11.255.255.255

> 
> >3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm
> >talking glasses. I haven't seen anything other than "you should..." in the
> >HOWTOs.
> 
> By convention, they will never be assigned to any location as their public
> addresses. Hence, all private networks can use them as they see fit (subject
> to NAT'ing them for public connections), without interfering with their
> access to the public address space of the Internet.
> 
> They are not "non-routing" in any technical sense. I route all the time, for
> example, between 192.168.123.0/24 and 192.168.124.0/24 within my private
> LAN. The Linux router I have on that connection routes just fine. But if I
> sent these addresses out (unMasq'd) to my ISP, they wouldn't get far; I
> expect my ISP's routers would block them, if I didn't.
> 
> >4. (possibly redundant) Does using a non-private IP behind a NAT break
> >anything? (besides actually getting to real 11.x.x.x)
> 
> Not that I know of. But the parenthetical really is a big deal, not a minor
> consideration.
> 
> ------------------------------------"Never tell me the odds!"---
> Ray Olszewski                                        -- Han Solo
> Palo Alto, CA           	 	         ray@comarre.com        
> ----------------------------------------------------------------
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 


-------------------------------------
New things are always on the horizon.

Reply to:

References:
- Re: Non-routing IP addresses
  - From: Ray Olszewski <ray@comarre.com>

Prev by Date: Re: Non-routing IP addresses
Next by Date: RE: Non-routing IP addresses
Previous by thread: Re: Non-routing IP addresses
Next by thread: Re: Non-routing IP addresses
Index(es):
- Date
- Thread