[40620] in North American Network Operators' Group
Re: NOC servers with public/private ip address
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Aug 15 11:02:14 2001
Message-Id: <200108151501.f7FF1Nb21614@foo-bar-baz.cc.vt.edu>
To: "Christopher A. Woodfield" <rekoil@semihuman.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Wed, 15 Aug 2001 10:40:12 EDT."
<20010815104012.B27014@semihuman.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1163589417P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Wed, 15 Aug 2001 11:01:23 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1163589417P
Content-Type: text/plain; charset=us-ascii
On Wed, 15 Aug 2001 10:40:12 EDT, "Christopher A. Woodfield" said:
>
> If you're talking about assigning RFC1918 space to router interfaces that
> transit traffic, a la @home, keep in mind that this can break PMTU-D, and
> makes for messy (and slow) traceroutes when external hosts try to resolve
> unresolvable reverse DNS entries.
>
> If you're talking about giving the workstations in your
> NOC private IP addresses, using NAT to access your core routers, I see no
> more a problem with that than I do with people using home DSL routers that
> utilize NAT.
There are those who would say using a NAT on a DSL router is evil. ;)
A better solution would be to have your NOC, your status monitoring
systems, your routers, your switches - all connected to a private
subnet without using NAT. The LAST thing you want in the middle of a
crisis is trying to debug a NAT problem ;)
Whether to number your management network with a /24 out of RFC1918
space, or a /2something out of your own address space, and how heavily
firewalled/isolated to make it, will depend on your paranoia level and
how it balances against ease-of-use concerns - if you have a fully isolated
management net, it's more secure, but a bitch to fix things from home ;)
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_1163589417P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/09/2001
iQA/AwUBO3qOw3At5Vm009ewEQIMXgCgzvtbDOS/klHR44KGyhhhko1V6ygAoJBj
pu7YZI8tPhmZO3y5srNur+hw
=sqsZ
-----END PGP SIGNATURE-----
--==_Exmh_1163589417P--
