The demonstration is easy. 1) Convince them that it is really no-goodnik to show private addrs on the Internet. 2) then make them believe it religiously. 3) then show them a traceroute and explain that everyone on the planet has traceroute. The only reasonable conclusion, from that sequence, is that ALL routers and routing hosts need a static IP addr. |> -----Original Message----- |> From: R Z [mailto:mypop3mail@yahoo.com] |> Sent: Tuesday, August 14, 2001 2:50 PM |> To: nanog@merit.edu |> Subject: NOC servers with public/private ip address |> |> |> |> Hi, all, |> |> We are an ISP with some internet routers. The question is if |> we should use |> public or private ip address in NMS/NOC to manage these |> routers. If we want |> to save ip address and use private ip address, we need to |> have private |> address on the internet routers. Although I am almost religious that |> internet routers should NEVER have private address in the |> routing table, I |> still need more reasons to convince other people. Can |> someone pls tell me |> the pros and cons of using private ip address? Is there any |> issue with |> private ip address? What is the practice in your network? |> |> Your insight is highly appreciated. |> Richard |> |> |> |> _________________________________________________________ |> Do You Yahoo!? |> Get your free @yahoo.com address at http://mail.yahoo.com |>
If you're talking about assigning RFC1918 space to router interfaces that transit traffic, a la @home, keep in mind that this can break PMTU-D, and makes for messy (and slow) traceroutes when external hosts try to resolve unresolvable reverse DNS entries. If you're talking about giving the workstations in your NOC private IP addresses, using NAT to access your core routers, I see no more a problem with that than I do with people using home DSL routers that utilize NAT. -C On Tue, Aug 14, 2001 at 04:59:34PM -0700, Roeland Meyer wrote:
The demonstration is easy.
1) Convince them that it is really no-goodnik to show private addrs on the Internet. 2) then make them believe it religiously. 3) then show them a traceroute and explain that everyone on the planet has traceroute.
The only reasonable conclusion, from that sequence, is that ALL routers and routing hosts need a static IP addr.
|> -----Original Message----- |> From: R Z [mailto:mypop3mail@yahoo.com] |> Sent: Tuesday, August 14, 2001 2:50 PM |> To: nanog@merit.edu |> Subject: NOC servers with public/private ip address |> |> |> |> Hi, all, |> |> We are an ISP with some internet routers. The question is if |> we should use |> public or private ip address in NMS/NOC to manage these |> routers. If we want |> to save ip address and use private ip address, we need to |> have private |> address on the internet routers. Although I am almost religious that |> internet routers should NEVER have private address in the |> routing table, I |> still need more reasons to convince other people. Can |> someone pls tell me |> the pros and cons of using private ip address? Is there any |> issue with |> private ip address? What is the practice in your network? |> |> Your insight is highly appreciated. |> Richard |> |> |> |> _________________________________________________________ |> Do You Yahoo!? |> Get your free @yahoo.com address at http://mail.yahoo.com |>
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
On Wed, 15 Aug 2001 10:40:12 EDT, "Christopher A. Woodfield" said:
If you're talking about assigning RFC1918 space to router interfaces that transit traffic, a la @home, keep in mind that this can break PMTU-D, and makes for messy (and slow) traceroutes when external hosts try to resolve unresolvable reverse DNS entries.
If you're talking about giving the workstations in your NOC private IP addresses, using NAT to access your core routers, I see no more a problem with that than I do with people using home DSL routers that utilize NAT.
There are those who would say using a NAT on a DSL router is evil. ;) A better solution would be to have your NOC, your status monitoring systems, your routers, your switches - all connected to a private subnet without using NAT. The LAST thing you want in the middle of a crisis is trying to debug a NAT problem ;) Whether to number your management network with a /24 out of RFC1918 space, or a /2something out of your own address space, and how heavily firewalled/isolated to make it, will depend on your paranoia level and how it balances against ease-of-use concerns - if you have a fully isolated management net, it's more secure, but a bitch to fix things from home ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Wed, Aug 15, 2001 at 11:01:23AM -0400, Valdis.Kletnieks@vt.edu wrote:
Whether to number your management network with a /24 out of RFC1918 space, or a /2something out of your own address space, and how heavily firewalled/isolated to make it, will depend on your paranoia level and
Using a NAT in a NOC situation makes audit trails harder to maintain, as all administrative connections to your network devices will appear to come from (one of) the address(es) of the NAT device. -- Jeff Gehlbach, Concord Communications <jgehlbach@concord.com> Senior Professional Services Consultant, Atlanta ph. 678.265.6067 fax 770.384.0183
On Wed, 15 Aug 2001 11:07:21 EDT, you said:
Using a NAT in a NOC situation makes audit trails harder to maintain, as all administrative connections to your network devices will appear to come from (one of) the address(es) of the NAT device.
Right. That too - that's why I advised against it. Choices I see as reasonable: 1) A totally isolated management net in 1918 space. 2) A totally isolated management net in your space. 3) A firewalled management net in your space. 4) A management net in 1918 space, and a bastion host that lives in the 1918 space and your space to get stuff in/out with (no direct connections available - copy stuff to the bastion from one side, then copy out from the other). Of course, for options (3) and (4) you need to have a very clear understanding of how you are handling security for the management net. And for options (1) and (2), you need to be careful that it *does* stay isolated - all it takes is one router that's forwarding packets for it to change into (3) or (4). ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
participants (4)
-
Christopher A. Woodfield
-
Jeff Gehlbach
-
Roeland Meyer
-
Valdis.Kletnieks@vt.edu