Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org

20 Sep 2012


      ...
From jrhett@netconsonance.com  Wed Sep 19 20:47:44 2012
Subject: Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
From: Jo Rhett <jrhett@netconsonance.com>
Date: Wed, 19 Sep 2012 18:46:54 -0700
Cc: nanog@nanog.org
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
--Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
  charset=us-ascii
On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote:
...
In the financial and/or brokerage communities, there are internal =
networks
with enough 'high value'/sensitive information to justify "air gap"
isolation from the outide world.=20
=20
Also, in those industries, there are 'semi-isolated' networks where
all external commnications are mediated through dual-homed =
_application-
layer_ gateways. No packet-level communications between 'inside' and
'outside'.  The 'inside' apps onl know how to talk to the gateway; =
server-
side talks only to specific (pre-determined) trusted hosts for the
specific request being processed.  NO 'transparent pass-through' in
either direction.
You're all missing the point in grand style.  If you would stop trying =
to brag about something that nearly everyone has done in their career =
and pay attention to the topic you'd realize what my point was. This is =
the last time I'm going to say this.=20
Not only do I know well those networks, I was the admin responsible for =
the largest commercial one (56k routes) in existence that I'm aware of. =
I was at one point cooperatively responsible for a very large one in =
SEANet as well. (120k routes, 22k offices) I get what you are talking =
about. That's not what I am saying.
For these networks to have gateways which connect to the outside, you =
have to have an understanding of which IP networks are inside, and which =
IP networks are outside. Your proxy client then forwards connections to =
"outside" networks to the gateway. You can't use the same networks =
inside and outside of the gateway. It doesn't work. The gateway and the =
proxy clients need to know which way to route those packets.=20
THUS: you can't have your own IP space re-used by another company on the =
Internet without breaking routing. Duh.
RFC1918 is a cooperative venture in doing exactly this, but you simply =
can't use RFC1918 space if you also connect to a diverse set of other =
businesses/units/partners/etc. AND there is no requirement in any IP =
allocation document that you must use RFC1918 space. So acquiring unique =
space and using it internally has always been legal and permitted.
Now let's avoid deliberately misunderstanding me again, alright?
--=20
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet =
projects.
--Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
  charset=us-ascii
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Sep 19, 2012, at 5:59 PM, Robert Bonomi =
wrote:</div><blockquote type=3D"cite"><div>In the financial and/or =
brokerage communities, there are internal networks<br>with enough 'high =
value'/sensitive information to justify "air gap"<br>isolation from the =
outide world. <br><br>Also, in those industries, there are =
'semi-isolated' networks where<br>all external commnications are =
mediated through dual-homed _application-<br>layer_ gateways. No =
packet-level communications between 'inside' and<br>'outside'.  The =
'inside' apps onl know how to talk to the gateway; server-<br>side talks =
only to specific (pre-determined) trusted hosts for the<br>specific =
request being processed.  NO 'transparent pass-through' =
in<br>either =
direction.<br></div></blockquote></div><div><br></div>You're all missing =
the point in grand style.  If you would stop trying to brag about =
something that nearly everyone has done in their career and pay =
attention to the topic you'd realize what my point was. This is the last =
time I'm going to say this. <div><br></div><div>Not only do I know =
well those networks, I was the admin responsible for the largest =
commercial one (56k routes) in existence that I'm aware of. I was at one =
point cooperatively responsible for a very large one in SEANet as well. =
(120k routes, 22k offices) I get what you are talking about. That's not =
what I am saying.</div><div><br></div><div>For these networks to have =
gateways which connect to the outside, you have to have an understanding =
of which IP networks are inside, and which IP networks are outside. Your =
proxy client then forwards connections to "outside" networks to the =
gateway. You can't use the same networks inside and outside of the =
gateway. It doesn't work. The gateway and the proxy clients need to know =
which way to route those packets. </div><div><br></div><div>THUS: =
you can't have your own IP space re-used by another company on the =
Internet without breaking routing. Duh.</div><div><br></div><div>RFC1918 =
is a cooperative venture in doing exactly this, but you simply can't use =
RFC1918 space if you also connect to a diverse set of other =
businesses/units/partners/etc. AND there is no requirement in any =
IP allocation document that you must use RFC1918 space. So acquiring =
unique space and using it internally has always been legal and =
permitted.</div><div><br></div><div>Now let's avoid deliberately =
misunderstanding me again, alright?</div><div><br><div>
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span =
class=3D"Apple-style-span" style=3D"font-size: 12px; "><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" style=3D"font: =
normal normal normal 12px/normal Helvetica; ">-- </font></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" style=3D"font: =
normal normal normal 12px/normal Helvetica; ">Jo =
Rhett</font></div></span><span class=3D"Apple-style-span" =
style=3D"font-size: 12px; ">Net Consonance : </span><span =
class=3D"Apple-style-span" style=3D"font-size: 12px; ">net philanthropy =
to improve open source and internet projects.</span><br><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div><div><span class=3D"Apple-style-span" =
style=3D"font-size: 12px; "><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; =
"><br></div></span></div></div></div></span></span><br =
class=3D"Apple-interchange-newline">
</div>
<br></div></body></html>=
--Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8--