On Sun, 31 Dec 2000, Jason Lewis wrote: > I am a little lost as to what the real argument is..... > Don't use RFC1918 addresses on public networks. A 1918 network is, by definition, not a public network. Using a NAT to make it one is fragile and convoluted foolishness. > or > Don't use RFC1918 addresses on as a security measure. That's the clue people are trying to convey here, yes. RFC1918 just names a block of IP addresses. IP addresses are just integers. No magic differentiates one from the next. i.e. there's no inherent difference, security or otherwise, between 9.255.255.255 and 10.0.0.0. They're just adjacent integers in a continuous range. If you want security, you do that by defining a security policy and enforcing it. Enforcing it means firing people who violate it, and throwing away packets which violate it. > backend machines don't have access to the Internet and the private > addressing helps ensure that is true. Is my thinking flawed? Yes. The fact that nobody's put up a NAT with proxy ARP on your LAN or 802.11 segment (parking lot or nextdoor building, that is) is the coincidency by which your backend machines don't currently have Internet access. If you want to "ensure" that they don't have Internet access, or vice versa, then you need to _discard_ packets addressed to them, received from the Internet. That's what a firewall does. -Bill