IP Routing Question

Monty J. Harder dmonster at juno.com
Wed Jan 3 21:27:05 CST 2001 

On Wed, 3 Jan 2001 13:52:08 -0600 mike neuliep <mike at illiana.net> writes:

> You can mix and match internal and external IPs in your own network 
> without
> breaking anything so long as target machines use external IPs and 
> all routers
> on your network are properly configured.  However doing this isn't 
> considered
> a best practice.  Furthermore, by doing this, you could be in 

  But =why= would it not be considered "best practice"?  It sounds like
I'm properly applying the RFC 2050 criteria, which puts the highest
priority on conservation of the IPv4 public address space.

> violation of 
> RFC2050 (this is a must read!!) because you could potentially be 
> using external
> IP addresses internally  that never get hit by outside clients.  

  If I were doing that, I'd just NAT the subnet and be done with it.  My
entire premise here is to address the situation where people need to run
servers, and therefore need public IP addresses, and for very sound
reasons need to subnet those server farms.  Because of the
(mis)information people get studying for MCSEs, I suspect there are quite
a few public IPv4 addresses going to waste.

> year Ford
> Motor Company lost two class B networks.  They were using these 
> class Bs 
> internally and had them firewalled from the rest of the world.  Two 

  Damn right.  They have their pick of a Class A and 16 private Class
B's, that they can make CIDR out of any way they want.  This is exactly
the spirit of what I'm trying to accomplish.  There is no reason why
these routers should waste public IP addresses to hand packets between
each other.  They already have public IPs, so the machines can be
addressed by anyone who needs to address them.

> The standard accepted practice is to use all internal addresses for 
> everything.
> To hit a target inside your company (which if it isn't proxied, it 
> is a security
> risk) you'll probably want your firewall to statically translate it. 

  Now =that's= an interesting approach.  I figured that any server should
be physically isolated from the internal network on a DMZ.

> Mr Monster, also I appreciate you making me think.  No one here at 
work is 
> capable of making me do that :-)

  There is no higher praise anyone can give me.  I consider it a Good
Thing when I'm able to ask such questions, whether I have the right
answer or not (or whether such "the", "right", or even "answer"
meaningfully exist).  But don't be so formal with that Mister stuff.  My
friends just call me "Monster".

  Now if I could just translate that lofty laud into a job....
________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/tagj.

More information about the Kclug mailing list