Re: Non-routing IP addresses
> 1. Do these private address increase security in any way?
No. (If you're blocking source-routing, you've got a firewall
already, and *that* is doing all of the security - the NAT just gives
you the merge-nightmare you're having now, it doesn't actually make
anything more secure.)
> 2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any
You *hope*. I've seen enough sites "leak" addresses that I can't take
this argument seriously :-)
> 3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm
The idea is since these blocks are *reserved* and have no legitimate
use on the open net (anymore - 10/8 used to be the ARPAnet...) it is a
legitimate hack/safety-belt for an ISP to filter them out and not
propagate them to the world, as additional protection against the
"leak" screwup I mentioned in (2). In practice, at least one of the
net 10 leaks out there today *is* an ISP, sigh...
> 4. (possibly redundant) Does using a non-private IP behind a NAT break
> anything? (besides actually getting to real 11.x.x.x)
That should be discouragement enough. Add in the possibility that you
get it wrong some how (for example, if you *ever* take a BGP feed
because you're multi-homing and don't filter it carefully, your
routers may decide that all of your internal traffic *does* go over
these nice 11/8 routes the DODIIS is handing you...)
> The reason I'm asking, is the amount of labor involved in becoming
> compliant.
Yep, this (merging with another NAT site) is one of the reasons that
"NAT saves us from renumbering" is an outright lie. This specific
case happens a lot more than you'd expect (one of the big auto vendors
helped push some of the ipv6 autoconfig stuff specifically because
they ran into this problem more than once :-)
Reply to: