|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: NAT!!
Benoit Dicaire (BDicaire
nrj.com)
Mon, 22 Sep 1997 07:44:37 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Ken Roy: "Re: TIS FWTK"
- Previous message: See, Matthew: "Re: Here is my plan for firewall implementation"
- Maybe in reply to: Jim Raykowski: "Here is my plan for firewall implementation"
>NAT (Network Address Translation) and the use of Private Address space
>(see RFC1918 for more detail at ftp://ds.internic.net/rfc/rfc1918.txt)
>sure seems to be the addressing method of choice by a number of folks
>here. Its surprising considering the array of ramifications.
RFC 1918 focus on Private address space, RFC 1631 - The IP Network Adress
Tranlator (NAT) should be the foundation of our recommandation on NAT use ;)
There is two kind of NAT implementaion today :
- many private or illegal addresses to one legal, unambiguous;
- many private or illegal adresses to many globally unambiguous.
Most of the firewalls use NAT to separate the internal network segment
and the internet zone access segment. I agree the firewall is the key point
of security.
NAT does not secure a network, even worse it has the disadvantage of taking
away
the end-to-end significance of an IP address.
Too many of my customers used illegal ip address space on their internal
network, some of them even use more than one ip address space.
You should look at RFC 1916 - Enterprise Renumbering : Experience and
Information
Sollicitation.
Almost every enterprise need to renumber; however this can not be done
overnight and they already have an internet connection.
>Imagine any Firewall implementation that uses tunneling. My Tunnel
>server assigns addresses to remote clients based on my internal
>addressing. I use 10.0.1.x for my Tunnel Server's subnet to serve up.
>The client whom I'm trying to enable tunneling for also uses 10.0.1.x on
>their local network. Client connects to the Tunnel Server o.k. (thanks
>to NAT), but then gets assigned an address within their own internal
>address space (behind their Firewall). Now what???
Hummm, that's an interesting one. First of all, if you look at Registered
Class A
(e.g. IBM use 9.0), most of the owner of a Class A use it for internal use
only.
They use a class C for internet servers.
If you don't plan to make serious business with IBM, you may use 9.0 for
your internal network.
>So my point is that if you are suggesting the use of RFC1918, you need
>to clearly understand both the present, and future, network requirements
>of the hosts who may use said addresses. If you're behind a Proxy
>Firewall, and definitely will not open a plug-gw type conduit, and do
>not use tunneling, then you might be fine...otherwise, I'd say get
>yourself official addresses...
Russ, there is no way to get an offical Class B anymore.
Do you suggest to implement IPv6 on the internal network ?
--- Benoit Dicaire | (mailto:BDicaire
- Next message: Ken Roy: "Re: TIS FWTK"
- Previous message: See, Matthew: "Re: Here is my plan for firewall implementation"
- Maybe in reply to: Jim Raykowski: "Here is my plan for firewall implementation"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT