nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RFC1918 addresses to permit in for VPN?

From: Bill Woodcock <woody () zocalo net>
Date: Sun, 31 Dec 2000 14:14:54 -0800 (PST)

      On Sun, 31 Dec 2000, Jason Lewis wrote:
    > I am a little lost as to what the real argument is.....
    > Don't use RFC1918 addresses on public networks.

A 1918 network is, by definition, not a public network.  Using a NAT to
make it one is fragile and convoluted foolishness.

    > or
    > Don't use RFC1918 addresses on as a security measure.
    
That's the clue people are trying to convey here, yes.  RFC1918 just names
a block of IP addresses.  IP addresses are just integers.  No magic
differentiates one from the next.  i.e. there's no inherent difference,
security or otherwise, between 9.255.255.255 and 10.0.0.0.  They're just
adjacent integers in a continuous range.

If you want security, you do that by defining a security policy and
enforcing it.  Enforcing it means firing people who violate it, and
throwing away packets which violate it.

    > backend machines don't have access to the Internet and the private
    > addressing helps ensure that is true.  Is my thinking flawed?

Yes.  The fact that nobody's put up a NAT with proxy ARP on your LAN or
802.11 segment (parking lot or nextdoor building, that is) is the
coincidency by which your backend machines don't currently have Internet
access.

If you want to "ensure" that they don't have Internet access, or vice
versa, then you need to _discard_ packets addressed to them, received from
the Internet.  That's what a firewall does. 

                                -Bill
Previous By Date Next
Previous By Thread Next

Current thread: