[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Non-routing IP addresses

> 1. Do these private address increase security in any way?

No.  (If you're blocking source-routing, you've got a firewall
already, and *that* is doing all of the security - the NAT just gives
you the merge-nightmare you're having now, it doesn't actually make
anything more secure.)

> 2. Since we use NAT, no 11.x.x.x addresses get to the net, so is there any

You *hope*.  I've seen enough sites "leak" addresses that I can't take
this argument seriously :-)

> 3. Why are they "non-routing"? Or do my specs need an upgrade...and I'm

The idea is since these blocks are *reserved* and have no legitimate
use on the open net (anymore - 10/8 used to be the ARPAnet...) it is a
legitimate hack/safety-belt for an ISP to filter them out and not
propagate them to the world, as additional protection against the
"leak" screwup I mentioned in (2).  In practice, at least one of the
net 10 leaks out there today *is* an ISP, sigh...

> 4. (possibly redundant) Does using a non-private IP behind a NAT break
> anything? (besides actually getting to real 11.x.x.x)

That should be discouragement enough.  Add in the possibility that you
get it wrong some how (for example, if you *ever* take a BGP feed
because you're multi-homing and don't filter it carefully, your
routers may decide that all of your internal traffic *does* go over
these nice 11/8 routes the DODIIS is handing you...)

> The reason I'm asking, is the amount of labor involved in becoming
> compliant.

Yep, this (merging with another NAT site) is one of the reasons that
"NAT saves us from renumbering" is an outright lie.  This specific
case happens a lot more than you'd expect (one of the big auto vendors
helped push some of the ipv6 autoconfig stuff specifically because
they ran into this problem more than once :-)

Reply to: