Re: Private use of non-RFC1918 IP space

[Chris Meidinger <cmeidinger () sendmail com>]

On 02.02.2009, at 18:38, Valdis.Kletnieks () vt edu wrote:

> On Mon, 02 Feb 2009 12:20:25 EST, "D'Arcy J.M. Cain" said:
> > On Mon, 02 Feb 2009 18:03:57 +0100 (CET)
> > sthaug () nethelp no wrote:
> > > > What reason could you possibly have to use non RFC 1918 space on a
> > > > closed network?  It's very bad practice - unfortunately I do see  
> > > > it done
> > > > sometimes....
> > >
> > > There are sometimes good reasons to do this, for instance to ensure
> > > uniqueness in the face of mergers and acquisitions.

Also to avoid being required to NAT at all. Security benefits IMHO  
from using RFC1918 space in a corporate network - you have an  
automatic requirement that there must be a NAT rule somewhere in order  
for a duplex connection to happen. However, in a more open environment  
like a university or a laboratory, there may be no reason to require  
all connections to be proxied/translated etc.

> > How does that help?  If you are renumbering due to a merger, couldn't
> > you just agree on separate private space just as easily?
>
> They don't renumber, they end up just double-NAT or triple-NAT  
> betweem the
> merged units.  I think one poor soul posted here that they had
> quintuple-NAT'ing going on due to a long string of mergers....

This is a bit off-topic, but I thought I'd mention that this is one  
reason I recommend use of the 172.16/12 block to people building or  
renumbering enterprise networks. Most people seem to use 10/8 in large  
organizations and 192.168/16 in smaller ones, so it raises your  
chances of not having to get into heavy natting down the road. My  
theory on this is that most people who don't deal with CIDR on a daily  
basis find the /12 netmask a bit confusing and just avoid the block at  
all.

Cheers,

Chris