Firewall Wizards mailing list archives
Re: NAT!!
From: Benoit Dicaire <BDicaire () nrj com>
Date: Mon, 22 Sep 1997 07:44:37 -0400
NAT (Network Address Translation) and the use of Private Address space (see RFC1918 for more detail at ftp://ds.internic.net/rfc/rfc1918.txt) sure seems to be the addressing method of choice by a number of folks here. Its surprising considering the array of ramifications.
RFC 1918 focus on Private address space, RFC 1631 - The IP Network Adress Tranlator (NAT) should be the foundation of our recommandation on NAT use ;) There is two kind of NAT implementaion today : - many private or illegal addresses to one legal, unambiguous; - many private or illegal adresses to many globally unambiguous. Most of the firewalls use NAT to separate the internal network segment and the internet zone access segment. I agree the firewall is the key point of security. NAT does not secure a network, even worse it has the disadvantage of taking away the end-to-end significance of an IP address. Too many of my customers used illegal ip address space on their internal network, some of them even use more than one ip address space. You should look at RFC 1916 - Enterprise Renumbering : Experience and Information Sollicitation. Almost every enterprise need to renumber; however this can not be done overnight and they already have an internet connection.
Imagine any Firewall implementation that uses tunneling. My Tunnel server assigns addresses to remote clients based on my internal addressing. I use 10.0.1.x for my Tunnel Server's subnet to serve up. The client whom I'm trying to enable tunneling for also uses 10.0.1.x on their local network. Client connects to the Tunnel Server o.k. (thanks to NAT), but then gets assigned an address within their own internal address space (behind their Firewall). Now what???
Hummm, that's an interesting one. First of all, if you look at Registered Class A (e.g. IBM use 9.0), most of the owner of a Class A use it for internal use only. They use a class C for internet servers. If you don't plan to make serious business with IBM, you may use 9.0 for your internal network.
So my point is that if you are suggesting the use of RFC1918, you need to clearly understand both the present, and future, network requirements of the hosts who may use said addresses. If you're behind a Proxy Firewall, and definitely will not open a plug-gw type conduit, and do not use tunneling, then you might be fine...otherwise, I'd say get yourself official addresses...
Russ, there is no way to get an offical Class B anymore. Do you suggest to implement IPv6 on the internal network ? --- Benoit Dicaire | (mailto:BDicaire () NRJ Com) | NRJ Informatique Internet Architect | (514) 990-7177 | HTTP://www.NRJ.Com
Current thread:
- NAT!! Russ (Sep 19)
- Re: NAT!! Benoit Dicaire (Sep 22)