On Wed, 4 Jun 2003, David G. Andersen wrote:
On Wed, Jun 04, 2003 at 12:51:51PM -0700, Christopher J. Wolff quacked:
Hello,
I would like to know if any service providers have built their access networks out using private IP space. It certainly would benefit the global IP pool but it may adversely affect users with special applications. At any rate, it sounds like good fodder for a debate.
I've got a friend who puts all of his internal servers, routers, and _customers_ on RFC1918 space and pipes them out thrugh a PNAT. Fairly small ISP - maybe 15 megabits of bandwidth - operating at the state local level.
Why on earth would they do this? What you've said implies DS3 level connectivity, so to skimp on ARIN fees seems a little ridiculous.
It's an interesting setup. Kind of fun. The stateful pnat functionality forces customers to specify exactly what inbound services they want, which can't hurt security.
It doesn't help security any more than a standard firewall or filter would. And even then, you'd have to retrain your customers to stick them behind a firewall. Hell, even without filtering packets towards our customers, I get three or four tickets a week escalated to me because some user has been told by some other vendor that we must be filtering packets because they couldn't get blah blah to work.
Every customer gets a /24 or greater, which helps convenience.
If you say so.... The customer can already achieve this by utilizing NAT themselves. Convenience is impared by having customers who can't get VoIP, VPN or Quake to work. Sure, that can be addressed, but this plan is not one with convenience in mind.
On the other hand, everyone has a NAT in front of them, which means that they get clients who would have probably been putting a NAT in front of themselves anyway. I probably wouldn't use that setup myself, but then again, I subscribe to nanog...
Yeah, I read you loud and clear. "My friend is a half-baked cluebie using techniques I'll term fun and later encourage my competitors to employ". :) Using a technology because it's "possible" is the single stupidest rationale, probably resulting in almost as much downtime as sheer incompetence. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---