If you can afford extra links for your backdoor connections, setting up private IP addresses based NOC with direct interconnection to all nodes is more secure. You can turn off telnet/ssh access to the routers from outside and only allow the private addresses to connect directly to your router(s). Drawback is you can't directly connect to them from outside anymore, but you could setup a gateway PC/firewall for this purpose. I wouldn't worry about having private addresses in the routing tables as long as you don't advertise them. Make sure you also setup localloop IP addresses for each router such that router connection are not based on any physical link. This would also make load sharing across multiple same paths alot easier. ak ----- Original Message ----- From: "Wojtek Zlobicki" <wojtekz@idirect.com> To: <nanog@merit.edu> Sent: Tuesday, August 14, 2001 2:56 PM Subject: Re: NOC servers with public/private ip address
Although I am almost religious that internet routers should NEVER have private address in the routing table
That isn't quite correct. Internet routers should never "advertise"
private
IP blocks to the global Intenet, I've never heard of anyone stating that they should not have them in their routing table. I've worked in a few NOCs in my short life and the NOC has always been on an isolated private subnet. Acess to critical hardware was only allowed from behind that subnet.
Private addressing adds an extra layer of security as well as saving valuable IP space.