NOC servers with public/private ip address
Hi, all, We are an ISP with some internet routers. The question is if we should use public or private ip address in NMS/NOC to manage these routers. If we want to save ip address and use private ip address, we need to have private address on the internet routers. Although I am almost religious that internet routers should NEVER have private address in the routing table, I still need more reasons to convince other people. Can someone pls tell me the pros and cons of using private ip address? Is there any issue with private ip address? What is the practice in your network? Your insight is highly appreciated. Richard _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Although I am almost religious that internet routers should NEVER have private address in the routing table
That isn't quite correct. Internet routers should never "advertise" private IP blocks to the global Intenet, I've never heard of anyone stating that they should not have them in their routing table. I've worked in a few NOCs in my short life and the NOC has always been on an isolated private subnet. Acess to critical hardware was only allowed from behind that subnet. Private addressing adds an extra layer of security as well as saving valuable IP space.
If you can afford extra links for your backdoor connections, setting up private IP addresses based NOC with direct interconnection to all nodes is more secure. You can turn off telnet/ssh access to the routers from outside and only allow the private addresses to connect directly to your router(s). Drawback is you can't directly connect to them from outside anymore, but you could setup a gateway PC/firewall for this purpose. I wouldn't worry about having private addresses in the routing tables as long as you don't advertise them. Make sure you also setup localloop IP addresses for each router such that router connection are not based on any physical link. This would also make load sharing across multiple same paths alot easier. ak ----- Original Message ----- From: "Wojtek Zlobicki" <wojtekz@idirect.com> To: <nanog@merit.edu> Sent: Tuesday, August 14, 2001 2:56 PM Subject: Re: NOC servers with public/private ip address
Although I am almost religious that internet routers should NEVER have private address in the routing table
That isn't quite correct. Internet routers should never "advertise"
private
IP blocks to the global Intenet, I've never heard of anyone stating that they should not have them in their routing table. I've worked in a few NOCs in my short life and the NOC has always been on an isolated private subnet. Acess to critical hardware was only allowed from behind that subnet.
Private addressing adds an extra layer of security as well as saving valuable IP space.
Wojtek Zlobicki wrote:
Private addressing adds an extra layer of security as well as saving valuable IP space.
Be careful not to equate RFC1918 addresses with a security measure. *Especially* on publicly accessible routers. The decision to use 1918 or not should be based upon wether that interface will ever send packets to the Internet. In this case it sounds like it won't so that would be a good thing to do. If you also want that network to be secure, you should implement an appropriate security policy with filters/firewalls/intrusion det./etc. Hopefully that policy won't require 1918 addresses to be effective :) KL
On Tue, 14 Aug 2001, Wojtek Zlobicki wrote:
That isn't quite correct. Internet routers should never "advertise" private IP blocks to the global Intenet, I've never heard of anyone stating that they should not have them in their routing table. I've worked in a few NOCs in my short life and the NOC has always been on an isolated private subnet. Acess to critical hardware was only allowed from behind that subnet.
Private addressing adds an extra layer of security as well as saving valuable IP space.
Security?! Come on. That's a lame reason. It's that kind of mindset that leads to your customers being able to manage your routers, simply because you had them secured by only being manageable from a private space.
On Wed, 15 Aug 2001, Greg Maxwell wrote:
On Tue, 14 Aug 2001, Wojtek Zlobicki wrote:
That isn't quite correct. Internet routers should never "advertise" private IP blocks to the global Intenet, I've never heard of anyone stating that they should not have them in their routing table. I've worked in a few NOCs in my short life and the NOC has always been on an isolated private subnet. Acess to critical hardware was only allowed from behind that subnet.
Private addressing adds an extra layer of security as well as saving valuable IP space.
Security?! Come on. That's a lame reason.
It's that kind of mindset that leads to your customers being able to manage your routers, simply because you had them secured by only being manageable from a private space.
Please, oh please, not this conversation again. He did say 'layer', implying there was more then one. You were the one that said 'only'. Lets leave this alone. andy
On Wed, 15 Aug 2001, Andy Walden wrote:
Please, oh please, not this conversation again. He did say 'layer', implying there was more then one. You were the one that said 'only'. Lets leave this alone.
Yes, that's fair. Though I will leave it at, I've yet to personally see a secure system where 1918 was one of the security measures.... Not that it's not possible, just that it encourages poor behaviors.
participants (6)
-
Andy Walden -
Arman Khalili -
Greg Maxwell -
Kevin Loch -
R Z -
Wojtek Zlobicki