nanog mailing list archives
Re: RFC1918 addresses to permit in for VPN?
From: "Geoffrey Zinderdine" <gzinderdine () home com>
Date: Fri, 29 Dec 2000 18:51:56 -0600
One of the companies we work with has 192.168 address for some of the radius servers we have to talk to, we are directly connected to them
so
it's not a big pain but it's just so ugly.. . That makes perfect sense to me...there is not a better way to protect a
box
from a DOS/hack than to only give it a private address. Why expose a
box
to the outside world if there is not a need???Deron, Ever heard of an access list? Didn't think so.
These are single hosts on private networks we are talking about here, not routers. If their only contact with the outside is through direct connections, I can't see a good reason to waste a globally routable address on them. Access-lists are not a panacea, proper host security is not excused by securing the network. If the router itself is compromised and the access-lists are dumped, if you have a routable address you are SOL for protection. I am not suggesting that having a private address is adequate host security obviously, but it certainly doesn't hurt. Aside from offending the aesthetic sensibilities of a few network engineers there has been no convincing argument as to why an internal host with a few trusted direct connections should have a globally unique address. I can think of lots of reasons why a router on a public network *should* have a legal address, I just don't see how that applies in this case. And I am sure that you can find lots of better reasons to flame BellSouth. Best regards and Happy Holidays! Geoff Zinderdine Network Flunkey-at-Large
Deron J. Ringen Sr. Network Architect BellSouth Internet ServicesTypical. --- John Fraizer EnterZone, Inc
Current thread:
- Re: RFC1918 addresses to permit in for VPN?, (continued)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Daniel L. Golding (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Simon Lyall (Dec 29)
- RE: RFC1918 addresses to permit in for VPN? Deron J. Ringen (Dec 29)
- RE: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Geoffrey Zinderdine (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Bill Fumerola (Dec 30)
- RE: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Derek J. Balling (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Bill Woodcock (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Mark Mentovai (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Randy Bush (Dec 31)