IP Routing Question
Gerald Combs
gerald at zing.org
Wed Jan 3 21:57:36 CST 2001
On Wed, 3 Jan 2001, Monty J. Harder wrote:
>
> On Wed, 3 Jan 2001 13:52:08 -0600 mike neuliep <mike at illiana.net> writes:
>
>
> > You can mix and match internal and external IPs in your own network
> > without
> > breaking anything so long as target machines use external IPs and
> > all routers
> > on your network are properly configured. However doing this isn't
> > considered
> > a best practice. Furthermore, by doing this, you could be in
>
>
> But =why= would it not be considered "best practice"? It sounds like
> I'm properly applying the RFC 2050 criteria, which puts the highest
> priority on conservation of the IPv4 public address space.
You're also sacrificing interoperability, reliability, ease of use, and
sanity for...
1/64th of a class C.
Ok, in your case it's 3/32nds. Still, if you're that concerned about
address conservation, go bug Ford, IBM, Apple, UMKC, and all of those
other organizations that are using their class As and Bs in a grossly
inefficient manner. Apple, for example, has the entire 17/8 block. They
most likely aren't using 16-some-odd million addresses internally, and
they most certainly don't have that many addresses exposed to the public
Internet. So why in this age of address scarcity do they still have the
17/8 block? Why does UMKC have the entire 134.193/16 block, when it could
more reasonably and securely get by on a couple of class Cs in front of a
private net?
Yes, you can use RFC 1918 address out on the open Internet. The
Time/Warner and IDIR traceroutes show real-world examples of people doing
this. However, it requires planning, effort, and risk that IMHO just
isn't worth what little you gain.
>
>
>
> > violation of
> > RFC2050 (this is a must read!!) because you could potentially be
> > using external
> > IP addresses internally that never get hit by outside clients.
>
>
> If I were doing that, I'd just NAT the subnet and be done with it. My
> entire premise here is to address the situation where people need to run
> servers, and therefore need public IP addresses, and for very sound
> reasons need to subnet those server farms. Because of the
> (mis)information people get studying for MCSEs, I suspect there are quite
> a few public IPv4 addresses going to waste.
>
> > year Ford
> > Motor Company lost two class B networks. They were using these
> > class Bs
> > internally and had them firewalled from the rest of the world. Two
>
>
> Damn right. They have their pick of a Class A and 16 private Class
> B's, that they can make CIDR out of any way they want. This is exactly
> the spirit of what I'm trying to accomplish. There is no reason why
> these routers should waste public IP addresses to hand packets between
> each other. They already have public IPs, so the machines can be
> addressed by anyone who needs to address them.
>
>
> > The standard accepted practice is to use all internal addresses for
> > everything.
> > To hit a target inside your company (which if it isn't proxied, it
> > is a security
> > risk) you'll probably want your firewall to statically translate it.
>
>
> Now =that's= an interesting approach. I figured that any server should
> be physically isolated from the internal network on a DMZ.
>
> > Mr Monster, also I appreciate you making me think. No one here at
> work is
> > capable of making me do that :-)
>
> There is no higher praise anyone can give me. I consider it a Good
> Thing when I'm able to ask such questions, whether I have the right
> answer or not (or whether such "the", "right", or even "answer"
> meaningfully exist). But don't be so formal with that Mister stuff. My
> friends just call me "Monster".
>
> Now if I could just translate that lofty laud into a job....
> ________________________________________________________________
> GET INTERNET ACCESS FROM JUNO!
> Juno offers FREE or PREMIUM Internet access for less!
> Join Juno today! For your FREE software, visit:
> http://dl.www.juno.com/get/tagj.
>
>
>
More information about the Kclug
mailing list