|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: RFC1918 addresses to permit in for VPN?
> > > One of the companies we work with has 192.168 address for some of the > > > radius servers we have to talk to, we are directly connected to them so > > > it's not a big pain but it's just so ugly. > > . > > . > > That makes perfect sense to me...there is not a better way to protect a box > > from a DOS/hack than to only give it a private address. Why expose a box > > to the outside world if there is not a need??? > > Deron, > > Ever heard of an access list? Didn't think so. These are single hosts on private networks we are talking about here, not routers. If their only contact with the outside is through direct connections, I can't see a good reason to waste a globally routable address on them. Access-lists are not a panacea, proper host security is not excused by securing the network. If the router itself is compromised and the access-lists are dumped, if you have a routable address you are SOL for protection. I am not suggesting that having a private address is adequate host security obviously, but it certainly doesn't hurt. Aside from offending the aesthetic sensibilities of a few network engineers there has been no convincing argument as to why an internal host with a few trusted direct connections should have a globally unique address. I can think of lots of reasons why a router on a public network *should* have a legal address, I just don't see how that applies in this case. And I am sure that you can find lots of better reasons to flame BellSouth. Best regards and Happy Holidays! Geoff Zinderdine Network Flunkey-at-Large > > > Deron J. Ringen > > Sr. Network Architect > > BellSouth Internet Services > > Typical. > > --- > John Fraizer > EnterZone, Inc > > >
|