North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RFC1918 addresses to permit in for VPN?

  • From: Randy Bush
  • Date: Sun Dec 31 19:06:55 2000 
> Your points are valid, but when did we begin discussing NATs in this thread?

    From: Randy Bush <[email protected]>
    To: "Deron J. Ringen" <[email protected]>
    Cc: "Simon Lyall" <[email protected]>, <[email protected]>
    Subject: RE: RFC1918 addresses to permit in for VPN?
    Date: Sun, 31 Dec 2000 11:29:20 -0800

    > That makes perfect sense to me...there is not a better way to protect
    > a box from a DOS/hack than to only give it a private address.

    this is a common fantasy.  changing the its license place does not
    change the vulnerability of your car to an accident.

    randy

i figured that "protect a box from a DOS attack than to give it a private
address" was natted.  but you're right, my assumption could have been
incorrect.  apologies.

> I thought that this was another discussion about using RFC 1918 address
> space on publicly visible interfaces.

we seem to have taken a couple of derived threads from that.

and i have trouble staying polite about that disease.  it seems to usually
start with two delusions:
  o the inter-router links will take a lot of space, which /30s (and soon
    /31s) do not.
  o they are 'inside' the network so will not affect outsiders.

i.e. section 3 of 1918 clearly states

   Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links.

so any isp which lets the outside world see a packet with a source in 1918
space is in direct violation of 1918.

> People are afraid, without reason, of ARIN and the other RIRs

i would not say without reason.  we have an entire sub-department to deal
with address space acquition and assignment.  the small new isp may find the
process daunting, and the traditional attitude of some rirs has not always
been customer friendly (this is changing at last).

randy