[156559] in North American Network Operators' Group
Re: The Department of Work and Pensions,
daemon@ATHENA.MIT.EDU (Jo Rhett)
Wed Sep 19 21:47:36 2012
From: Jo Rhett <jrhett@netconsonance.com>
In-Reply-To: <201209200059.q8K0xZ4f060923@mail.r-bonomi.com>
Date: Wed, 19 Sep 2012 18:46:54 -0700
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote:
> In the financial and/or brokerage communities, there are internal =
networks
> with enough 'high value'/sensitive information to justify "air gap"
> isolation from the outide world.=20
>=20
> Also, in those industries, there are 'semi-isolated' networks where
> all external commnications are mediated through dual-homed =
_application-
> layer_ gateways. No packet-level communications between 'inside' and
> 'outside'. The 'inside' apps onl know how to talk to the gateway; =
server-
> side talks only to specific (pre-determined) trusted hosts for the
> specific request being processed. NO 'transparent pass-through' in
> either direction.
You're all missing the point in grand style. If you would stop trying =
to brag about something that nearly everyone has done in their career =
and pay attention to the topic you'd realize what my point was. This is =
the last time I'm going to say this.=20
Not only do I know well those networks, I was the admin responsible for =
the largest commercial one (56k routes) in existence that I'm aware of. =
I was at one point cooperatively responsible for a very large one in =
SEANet as well. (120k routes, 22k offices) I get what you are talking =
about. That's not what I am saying.
For these networks to have gateways which connect to the outside, you =
have to have an understanding of which IP networks are inside, and which =
IP networks are outside. Your proxy client then forwards connections to =
"outside" networks to the gateway. You can't use the same networks =
inside and outside of the gateway. It doesn't work. The gateway and the =
proxy clients need to know which way to route those packets.=20
THUS: you can't have your own IP space re-used by another company on the =
Internet without breaking routing. Duh.
RFC1918 is a cooperative venture in doing exactly this, but you simply =
can't use RFC1918 space if you also connect to a diverse set of other =
businesses/units/partners/etc. AND there is no requirement in any IP =
allocation document that you must use RFC1918 space. So acquiring unique =
space and using it internally has always been legal and permitted.
Now let's avoid deliberately misunderstanding me again, alright?
--=20
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet =
projects.
