Private use of non-RFC1918 IP space
Chris Meidinger
cmeidinger at sendmail.com
Mon Feb 2 17:50:49 UTC 2009
On 02.02.2009, at 18:38, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 02 Feb 2009 12:20:25 EST, "D'Arcy J.M. Cain" said:
>> On Mon, 02 Feb 2009 18:03:57 +0100 (CET)
>> sthaug at nethelp.no wrote:
>>>> What reason could you possibly have to use non RFC 1918 space on a
>>>> closed network? It's very bad practice - unfortunately I do see
>>>> it done
>>>> sometimes....
>>>
>>> There are sometimes good reasons to do this, for instance to ensure
>>> uniqueness in the face of mergers and acquisitions.
Also to avoid being required to NAT at all. Security benefits IMHO
from using RFC1918 space in a corporate network - you have an
automatic requirement that there must be a NAT rule somewhere in order
for a duplex connection to happen. However, in a more open environment
like a university or a laboratory, there may be no reason to require
all connections to be proxied/translated etc.
>> How does that help? If you are renumbering due to a merger, couldn't
>> you just agree on separate private space just as easily?
>
> They don't renumber, they end up just double-NAT or triple-NAT
> betweem the
> merged units. I think one poor soul posted here that they had
> quintuple-NAT'ing going on due to a long string of mergers....
This is a bit off-topic, but I thought I'd mention that this is one
reason I recommend use of the 172.16/12 block to people building or
renumbering enterprise networks. Most people seem to use 10/8 in large
organizations and 192.168/16 in smaller ones, so it raises your
chances of not having to get into heavy natting down the road. My
theory on this is that most people who don't deal with CIDR on a daily
basis find the /12 netmask a bit confusing and just avoid the block at
all.
Cheers,
Chris
More information about the NANOG
mailing list