[33153] in North American Network Operators' Group
Re: RFC1918 addresses to permit in for VPN?
daemon@ATHENA.MIT.EDU (Randy Bush)
Sun Dec 31 19:04:40 2000
From: Randy Bush <randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Mark Mentovai <mark-list@mentovai.com>
Cc: nanog@merit.edu
Message-Id: <E14CsQI-0001XM-00@rip.psg.com>
Date: Sun, 31 Dec 2000 16:01:58 -0800
Errors-To: owner-nanog-outgoing@merit.edu
> Your points are valid, but when did we begin discussing NATs in this thread?
From: Randy Bush <randy@psg.com>
To: "Deron J. Ringen" <djr@eng.bellsouth.net>
Cc: "Simon Lyall" <simon.lyall@ihug.co.nz>, <nanog@merit.edu>
Subject: RE: RFC1918 addresses to permit in for VPN?
Date: Sun, 31 Dec 2000 11:29:20 -0800
> That makes perfect sense to me...there is not a better way to protect
> a box from a DOS/hack than to only give it a private address.
this is a common fantasy. changing the its license place does not
change the vulnerability of your car to an accident.
randy
i figured that "protect a box from a DOS attack than to give it a private
address" was natted. but you're right, my assumption could have been
incorrect. apologies.
> I thought that this was another discussion about using RFC 1918 address
> space on publicly visible interfaces.
we seem to have taken a couple of derived threads from that.
and i have trouble staying polite about that disease. it seems to usually
start with two delusions:
o the inter-router links will take a lot of space, which /30s (and soon
/31s) do not.
o they are 'inside' the network so will not affect outsiders.
i.e. section 3 of 1918 clearly states
Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links.
so any isp which lets the outside world see a packet with a source in 1918
space is in direct violation of 1918.
> People are afraid, without reason, of ARIN and the other RIRs
i would not say without reason. we have an entire sub-department to deal
with address space acquition and assignment. the small new isp may find the
process daunting, and the traditional attitude of some rirs has not always
been customer friendly (this is changing at last).
randy
