nanog mailing list archives

RE: RFC1918 addresses to permit in for VPN?

From: John Fraizer <nanog () EnterZone Net>
Date: Mon, 1 Jan 2001 03:00:25 -0500 (EST)


On Sun, 31 Dec 2000, Jason Lewis wrote:


I am a little lost as to what the real argument is.....

Don't use RFC1918 addresses on public networks.
or
Don't use RFC1918 addresses on as a security measure.

I don't use RF1918 address on public networks, but I do use them on my
backend systems and at some level I consider it a security measure.  Those
backend machines don't have access to the Internet and the private
addressing helps ensure that is true.  Is my thinking flawed?

jas



Jason,

As long as you do it BACK-END, meaning, no need or desire, or possibility
of outside access, you're fine (IMHO).

1918 has it's place.  But, as Randy has stated, it is NO guarantee of
security.

We use 1918 space in our network -- It's 100% test environment,
unconnected, and secure.  If someone breaches physical security, more
power to them amd SMAME ON US!  (Please, someone try!  It's been a while
since we've had someone at gunpoint and we're forgetting all of the lines 
from the Dirty Harry movies.)  (Yes, we've had people at gunpoint
before.  I doubt they'll EVER try again.)

People who use 1918 space because "they're running out of address
space" or "security" IMHO, are doing themselfs a disservice.  #1, have
they ever heard of IP UNNUMBERED?  Can save a TON of address space.  And
if they're that anal about their use of world-routable address space and
are that tight on available addresses, I'm sure they'll be OK'd for more
address space from ARIN or whoever their RIR happens to be.

---
John Fraizer
EnterZone, Inc

Current thread:

Re: RFC1918 addresses to permit in for VPN? John Hawkinson (Feb 24)
- <Possible follow-ups>
- Re: RFC1918 addresses to permit in for VPN? John Fraizer (Feb 24)
  - Re: RFC1918 addresses to permit in for VPN? John Hawkinson (Feb 24)
- Re: RFC1918 addresses to permit in for VPN? John Fraizer (Feb 24)
- RE: RFC1918 addresses to permit in for VPN? Richard A. Steenbergen (Feb 24)
  - RE: RFC1918 addresses to permit in for VPN? John Fraizer (Feb 24)
    - RE: RFC1918 addresses to permit in for VPN? Richard A. Steenbergen (Feb 24)
    - RE: RFC1918 addresses to permit in for VPN? John Fraizer (Feb 24)
- RE: RFC1918 addresses to permit in for VPN? John Fraizer (Feb 24)
- Re: RFC1918 addresses to permit in for VPN? mdevney (Feb 24)
  - Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Feb 24)
  - Re: RFC1918 addresses to permit in for VPN? Stephen Sprunk (Feb 24)
  - RE: RFC1918 addresses to permit in for VPN? Deron J. Ringen (Feb 24)
    - Re: RFC1918 addresses to permit in for VPN? Stephen Griffin (Feb 24)
    - Re: RFC1918 addresses to permit in for VPN? mdevney (Feb 24)
  - Re: RFC1918 addresses to permit in for VPN? Josh Richards (Feb 24)
- RE: RFC1918 addresses to permit in for VPN? Deron J. Ringen (Feb 24)
  - Re: RFC1918 addresses to permit in for VPN? Bennett Todd (Feb 24)
    - Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Feb 24)

(Thread continues...)