[ale] OT move to new Colo that wants to use NAT

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 10 08:46:41 EST 2008


On Sun, 2008-11-09 at 19:20 -0500, Jim Popovitch wrote:
> On Sun, Nov 9, 2008 at 19:01, Chris Fowler <cfowler at outpostsentinel.com> wrote:
> > *>From our Network Administrator:
> > We're doing a NAT'd VLAN for Outpostsentinal.com, so their systems will need
> > to be set with the following IP range:
> > 10.1.1.2-17, with a gateway of 10.1.1.1.
> > Their public IPs are 65.254.217.210-225 in the same order (ie:
> > 65.254.217.210 goes to 10.1.1.2, 65.254.217.211 goes to 10.1.1.3, etc)*

> Have you tried asking them for public IPs?    If they don't have any
> to offer, ask them if they will support (BGP) your own ARIN
> allocation.

	Getting PI (Provider Independent) allocations out of ARIN is extremely
difficult and going to get more so.  I believe at one time you could not
get anything smaller than a /19 (i.e. you could not get a /20 from ARIN
directly).  That's 8192 addresses.  If you can not justify the immediate
use and application of a very sizable portion of that allocation you
will not get it.

	This situation is going to get much worse.  Current predicted runout of
IPv4 addresses is now projected to be sometime in 2010 to 2011.  It's
just been announced that the final, last 5, IPv4 /8 blocks from IANA
have been allocated to the regional registrars, one to each RIR (ARIN,
RIPE, APNIC, LACNIC, AFRINIC).  That's it folks, no more, they're all
gone from IANA.  Now as ARIN runs down their allocations, they're going
to get tighter and tighter on their policy because the IANA well is now
dry.  They can't get any more, themselves.

> IMHO, their move to do this is both good and bad.  Good because it
> protects the idiots who lease systems they don't know how to secure,
> bad because it removes capabilities that quality technical folks need.

	NAT provides no security.  That's a total myth.  Private address
space != secure.  That's been proven by multiple break-ins and trojans
with reverse shells for years.  The only security that comes from NAT
derives purely from it's connection state machine which is the same
thing in a stateful firewall.  The address translation itself, provides
no additional security only a false sense of security to the fools who
rely on it.

> -Jim P.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20081110/909295f3/attachment.bin 


More information about the Ale mailing list