[6bone] Re: Internal Address Space

Chuck Yerkes chuck+6bone@snew.com
Tue, 21 May 2002 05:00:16 -0700


Quoting David F. Newman (dnewman@maraudingpirates.org):
> Hi there,
> In the old IPv4 days sites would use private address space inside a firewall 
> for either address conservation or just plain old security through obscurity.
In the old days, we'd use our real IPv4 addresses and that would
route across the Internet.  We eventually put up firewalls, and
screening routers (or screend).  As we ran out of IPv4 (they will
all be gone by 1998 or so :), rfc1918 came along a bit after the
concept of NAT - network address translation.

Many lesser admins believe NAT to be actual firewalling (it's
neat the probes that still work with an established bit set).

> Now that a site can get a /48 to do with as they please is it necessary to use 
> private IP space anymore.  I am wondering if people out there use public 
> routable IPs on both sides of their firewall.  I figure if a node is behind a 
> firewall it is ok to have a valid IP, but I could be wrong.

Now that I have 65k Internets of address that will route (nobody
will route my class C anymore), I use actual addresses on the
machines that will take them.   I run firewalling software on my
gateways somewhat.  I also make sure that the machines on my network
are hardened.  There is no "soft chewy center" if you get past the
firewall.