Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NAT!!

From: Benoit Dicaire <BDicaire () nrj com>
Date: Mon, 22 Sep 1997 07:44:37 -0400
NAT (Network Address Translation) and the use of Private Address space
(see RFC1918 for more detail at ftp://ds.internic.net/rfc/rfc1918.txt)
sure seems to be the addressing method of choice by a number of folks
here. Its surprising considering the array of ramifications.


RFC 1918 focus on Private address space, RFC 1631 - The IP Network Adress 
Tranlator (NAT) should be the foundation of our recommandation on NAT use ;)

There is two kind of NAT implementaion today : 
        - many private or illegal addresses to one legal, unambiguous;
        - many private or illegal adresses to many globally unambiguous.

Most of the firewalls use NAT to separate the internal network segment 
and the internet zone access segment.  I agree the firewall is the key point
of security.

NAT does not secure a network, even worse it has the disadvantage of taking
away
the end-to-end significance of an IP address.

Too many of my customers used illegal ip address space on their internal
network, some of them even use more than one ip address space.

You should look at RFC 1916 - Enterprise Renumbering : Experience and
Information 
Sollicitation.

Almost every enterprise need to renumber; however this can not be done
overnight and they already have an internet connection.


Imagine any Firewall implementation that uses tunneling. My Tunnel
server assigns addresses to remote clients based on my internal
addressing. I use 10.0.1.x for my Tunnel Server's subnet to serve up.
The client whom I'm trying to enable tunneling for also uses 10.0.1.x on
their local network. Client connects to the Tunnel Server o.k. (thanks
to NAT), but then gets assigned an address within their own internal
address space (behind their Firewall). Now what???


Hummm, that's an interesting one. First of all, if you look at Registered
Class A
(e.g. IBM use 9.0), most of the owner of a Class A use it for internal use
only.
They use a class C for internet servers.

If you don't plan to make serious business with IBM, you may use 9.0 for
your internal network.


So my point is that if you are suggesting the use of RFC1918, you need
to clearly understand both the present, and future, network requirements
of the hosts who may use said addresses. If you're behind a Proxy
Firewall, and definitely will not open a plug-gw type conduit, and do
not use tunneling, then you might be fine...otherwise, I'd say get
yourself official addresses...


Russ, there is no way to get an offical Class B anymore.
Do you suggest to implement IPv6 on the internal network ?


---
Benoit Dicaire       | (mailto:BDicaire () NRJ Com) | NRJ Informatique     
Internet Architect   | (514) 990-7177            | HTTP://www.NRJ.Com
Previous By Date Next
Previous By Thread Next

Current thread: