Re: Non-routing IP addresses
On Tue, 30 May 2000, Ray Olszewski wrote:
> At 02:02 PM 5/30/00 -0600, Mullins, Ron wrote:
> >I know that if you are using NAT, you are supposed to use the private:
> >
> >10.0.0.0 - 10.255.255.255
> >172.16.0.0 - 172.31.255.255
> >192.168.0.0 - 192.268.255.255
> >
> >These are said to be "non-routing". My problem is my current employer uses a
> >11.x.x.x (parent company used 10.x.x.x). So I have the following questions:
> >
> >1. Do these private address increase security in any way?
>
> Compared to what? Using NAT behind a firewall increases security enormously.
> Using the "wrong" addresses with NAT doesn't worsen the security issues in
> any way that I know of (at least not when using Linux-based firewalls; who
> knows what proprietary routers might do with them?).
>
> >2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any
> >reason to switch, other than recommended convention?
>
> Yes. The reason you yourself suggest in question 4. I don't have a quick way
> to check if any addresses in 11.0.0.0/8 are actually in use, though.
checking by the use of ipw
(IP whois, available at: http://mjhb.marina-del-rey.ca.us/cgi-bin/ipw.pl):
it says it's owned by the US Mil:
DoD Intel Information Systems
Defense Intelligence Agency
NetName: DODIIS
Netblock: 11.0.0.0 - 11.255.255.255
>
> >3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm
> >talking glasses. I haven't seen anything other than "you should..." in the
> >HOWTOs.
>
> By convention, they will never be assigned to any location as their public
> addresses. Hence, all private networks can use them as they see fit (subject
> to NAT'ing them for public connections), without interfering with their
> access to the public address space of the Internet.
>
> They are not "non-routing" in any technical sense. I route all the time, for
> example, between 192.168.123.0/24 and 192.168.124.0/24 within my private
> LAN. The Linux router I have on that connection routes just fine. But if I
> sent these addresses out (unMasq'd) to my ISP, they wouldn't get far; I
> expect my ISP's routers would block them, if I didn't.
>
> >4. (possibly redundant) Does using a non-private IP behind a NAT break
> >anything? (besides actually getting to real 11.x.x.x)
>
> Not that I know of. But the parenthetical really is a big deal, not a minor
> consideration.
>
> ------------------------------------"Never tell me the odds!"---
> Ray Olszewski -- Han Solo
> Palo Alto, CA ray@comarre.com
> ----------------------------------------------------------------
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
-------------------------------------
New things are always on the horizon.
Reply to: