nanog mailing list archives

Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org

From: Robert Bonomi <bonomi () mail r-bonomi com>
Date: Thu, 20 Sep 2012 02:31:54 -0500 (CDT)

From jrhett () netconsonance com  Wed Sep 19 20:47:44 2012
Subject: Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org
From: Jo Rhett <jrhett () netconsonance com>
Date: Wed, 19 Sep 2012 18:46:54 -0700
Cc: nanog () nanog org
To: Robert Bonomi <bonomi () mail r-bonomi com>


--Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
      charset=us-ascii

On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote:

In the financial and/or brokerage communities, there are internal =

networks

with enough 'high value'/sensitive information to justify "air gap"
isolation from the outide world.=20
=20
Also, in those industries, there are 'semi-isolated' networks where
all external commnications are mediated through dual-homed =

_application-

layer_ gateways. No packet-level communications between 'inside' and
'outside'.  The 'inside' apps onl know how to talk to the gateway; =

server-

side talks only to specific (pre-determined) trusted hosts for the
specific request being processed.  NO 'transparent pass-through' in
either direction.



You're all missing the point in grand style.  If you would stop trying =
to brag about something that nearly everyone has done in their career =
and pay attention to the topic you'd realize what my point was. This is =
the last time I'm going to say this.=20

Not only do I know well those networks, I was the admin responsible for =
the largest commercial one (56k routes) in existence that I'm aware of. =
I was at one point cooperatively responsible for a very large one in =
SEANet as well. (120k routes, 22k offices) I get what you are talking =
about. That's not what I am saying.

For these networks to have gateways which connect to the outside, you =
have to have an understanding of which IP networks are inside, and which =
IP networks are outside. Your proxy client then forwards connections to =
"outside" networks to the gateway. You can't use the same networks =
inside and outside of the gateway. It doesn't work. The gateway and the =
proxy clients need to know which way to route those packets.=20

THUS: you can't have your own IP space re-used by another company on the =
Internet without breaking routing. Duh.

RFC1918 is a cooperative venture in doing exactly this, but you simply =
can't use RFC1918 space if you also connect to a diverse set of other =
businesses/units/partners/etc. AND there is no requirement in any IP =
allocation document that you must use RFC1918 space. So acquiring unique =
space and using it internally has always been legal and permitted.

Now let's avoid deliberately misunderstanding me again, alright?

--=20
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet =
projects.




--Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
      charset=us-ascii

<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Sep 19, 2012, at 5:59 PM, Robert Bonomi =
wrote:</div><blockquote type=3D"cite"><div>In the financial and/or =
brokerage communities, there are internal networks<br>with enough 'high =
value'/sensitive information to justify "air gap"<br>isolation from the =
outide world. <br><br>Also, in those industries, there are =
'semi-isolated' networks where<br>all external commnications are =
mediated through dual-homed _application-<br>layer_ gateways. No =
packet-level communications between 'inside' and<br>'outside'. &nbsp;The =
'inside' apps onl know how to talk to the gateway; server-<br>side talks =
only to specific (pre-determined) trusted hosts for the<br>specific =
request being processed. &nbsp;NO 'transparent pass-through' =
in<br>either =
direction.<br></div></blockquote></div><div><br></div>You're all missing =
the point in grand style. &nbsp;If you would stop trying to brag about =
something that nearly everyone has done in their career and pay =
attention to the topic you'd realize what my point was. This is the last =
time I'm going to say this.&nbsp;<div><br></div><div>Not only do I know =
well those networks, I was the admin responsible for the largest =
commercial one (56k routes) in existence that I'm aware of. I was at one =
point cooperatively responsible for a very large one in SEANet as well. =
(120k routes, 22k offices) I get what you are talking about. That's not =
what I am saying.</div><div><br></div><div>For these networks to have =
gateways which connect to the outside, you have to have an understanding =
of which IP networks are inside, and which IP networks are outside. Your =
proxy client then forwards connections to "outside" networks to the =
gateway.&nbsp;You can't use the same networks inside and outside of the =
gateway. It doesn't work. The gateway and the proxy clients need to know =
which way to route those packets.&nbsp;</div><div><br></div><div>THUS: =
you can't have your own IP space re-used by another company on the =
Internet without breaking routing. Duh.</div><div><br></div><div>RFC1918 =
is a cooperative venture in doing exactly this, but you simply can't use =
RFC1918 space if you also connect to a diverse set of other =
businesses/units/partners/etc.&nbsp;AND there is no requirement in any =
IP allocation document that you must use RFC1918 space. So acquiring =
unique space and using it internally has always been legal and =
permitted.</div><div><br></div><div>Now let's avoid deliberately =
misunderstanding me again, alright?</div><div><br><div>
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span =
class=3D"Apple-style-span" style=3D"font-size: 12px; "><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" style=3D"font: =
normal normal normal 12px/normal Helvetica; ">--&nbsp;</font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" style=3D"font: =
normal normal normal 12px/normal Helvetica; ">Jo =
Rhett</font></div></span><span class=3D"Apple-style-span" =
style=3D"font-size: 12px; ">Net Consonance :&nbsp;</span><span =
class=3D"Apple-style-span" style=3D"font-size: 12px; ">net philanthropy =
to improve open source and internet projects.</span><br><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div><div><span class=3D"Apple-style-span" =
style=3D"font-size: 12px; "><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; =
"><br></div></span></div></div></div></span></span><br =
class=3D"Apple-interchange-newline">
</div>
<br></div></body></html>=

--Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8--

Current thread:

Re: The Department of Work and Pensions, UK has an entire /8, (continued)
- - - Re: The Department of Work and Pensions, UK has an entire /8 Jo Rhett (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 joel jaeggli (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 Lynda (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 Cutler James R (Sep 19)
    - They aren't on *MY* Internet, so I should get their space! Jo Rhett (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org Robert Bonomi (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org Jo Rhett (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org Valdis . Kletnieks (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org Brett Frankenberger (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org Jo Rhett (Sep 20)
    - Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org Robert Bonomi (Sep 20)
    - Re: The Department of Work and Pensions, UK has an entire /8 Stephen Sprunk (Sep 20)
    - Re: The Department of Work and Pensions, UK has an entire /8 George Herbert (Sep 20)
    - Re: The Department of Work and Pensions, UK has an entire /8 Stephen Sprunk (Sep 21)
    - Re: The Department of Work and Pensions, UK has an entire /8 Leo Bicknell (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 Seth Mos (Sep 19)
    - Re: The Department of Work and Pensions, UK has an entire /8 Stephen Sprunk (Sep 20)
- Re: The Department of Work and Pensions, UK has an entire /8 Paul Thornton (Sep 18)
  - Re: The Department of Work and Pensions, UK has an entire /8 Alex Brooks (Sep 18)
  - Re: The Department of Work and Pensions, UK has an entire /8 Alex Brooks (Sep 18)
    - RE: The Department of Work and Pensions, UK has an entire /8 Alex Rubenstein (Sep 18)

(Thread continues...)