Re: RFC1918 addresses to permit in for VPN?

["Geoffrey Zinderdine" <gzinderdine () home com>]

> > > One of the companies we work with has 192.168 address for some of the
> > > radius servers we have to talk to, we are directly connected to them
so
> > > it's not a big pain but it's just so ugly.
> > .
> > .
> > That makes perfect sense to me...there is not a better way to protect a
box
> > from a DOS/hack than to only give it a private address.   Why expose a
box
> > to the outside world if there is not a need???
>
> Deron,
>
> Ever heard of an access list?  Didn't think so.

These are single hosts on private networks we are talking about here, not
routers.  If their only contact with the outside is through direct
connections, I can't see a good reason to waste a globally routable address
on them.

Access-lists are not a panacea, proper host security is not excused by
securing the network.  If the router itself is compromised and the
access-lists  are dumped, if you have a routable address you are SOL for
protection.   I am not suggesting that having a private address is adequate
host security obviously, but it certainly doesn't hurt.  Aside from
offending the aesthetic sensibilities of a few network engineers there has
been no convincing argument as to why an internal host with a few trusted
direct connections should have a globally unique address.

I can think of lots of reasons why a router on a public network *should*
have a legal address, I just don't see how that applies in this case.  And I
am sure that you can find lots of better reasons to flame BellSouth.

Best regards and Happy Holidays!

Geoff Zinderdine
Network Flunkey-at-Large



> > Deron J. Ringen
> > Sr. Network Architect
> > BellSouth Internet Services
>
> Typical.
>
> ---
> John Fraizer
> EnterZone, Inc