The Department of Work and Pensions, UK has an entire /8 nanog at nanog.org

Robert Bonomi bonomi at mail.r-bonomi.com
Thu Sep 20 07:31:54 UTC 2012


> From jrhett at netconsonance.com  Wed Sep 19 20:47:44 2012
> Subject: Re: The Department of Work and Pensions, UK has an entire /8 nanog at nanog.org
> From: Jo Rhett <jrhett at netconsonance.com>
> Date: Wed, 19 Sep 2012 18:46:54 -0700
> Cc: nanog at nanog.org
> To: Robert Bonomi <bonomi at mail.r-bonomi.com>
>
>
> --Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/plain;
> 	charset=us-ascii
>
> On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote:
> > In the financial and/or brokerage communities, there are internal =
> networks
> > with enough 'high value'/sensitive information to justify "air gap"
> > isolation from the outide world.=20
> >=20
> > Also, in those industries, there are 'semi-isolated' networks where
> > all external commnications are mediated through dual-homed =
> _application-
> > layer_ gateways. No packet-level communications between 'inside' and
> > 'outside'.  The 'inside' apps onl know how to talk to the gateway; =
> server-
> > side talks only to specific (pre-determined) trusted hosts for the
> > specific request being processed.  NO 'transparent pass-through' in
> > either direction.
>
>
> You're all missing the point in grand style.  If you would stop trying =
> to brag about something that nearly everyone has done in their career =
> and pay attention to the topic you'd realize what my point was. This is =
> the last time I'm going to say this.=20
>
> Not only do I know well those networks, I was the admin responsible for =
> the largest commercial one (56k routes) in existence that I'm aware of. =
> I was at one point cooperatively responsible for a very large one in =
> SEANet as well. (120k routes, 22k offices) I get what you are talking =
> about. That's not what I am saying.
>
> For these networks to have gateways which connect to the outside, you =
> have to have an understanding of which IP networks are inside, and which =
> IP networks are outside. Your proxy client then forwards connections to =
> "outside" networks to the gateway. You can't use the same networks =
> inside and outside of the gateway. It doesn't work. The gateway and the =
> proxy clients need to know which way to route those packets.=20
>
> THUS: you can't have your own IP space re-used by another company on the =
> Internet without breaking routing. Duh.
>
> RFC1918 is a cooperative venture in doing exactly this, but you simply =
> can't use RFC1918 space if you also connect to a diverse set of other =
> businesses/units/partners/etc. AND there is no requirement in any IP =
> allocation document that you must use RFC1918 space. So acquiring unique =
> space and using it internally has always been legal and permitted.
>
> Now let's avoid deliberately misunderstanding me again, alright?
>
> --=20
> Jo Rhett
> Net Consonance : net philanthropy to improve open source and internet =
> projects.
>
>
>
>
> --Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html;
> 	charset=us-ascii
>
> <html><head></head><body style=3D"word-wrap: break-word; =
> -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
> "><div><div>On Sep 19, 2012, at 5:59 PM, Robert Bonomi =
> wrote:</div><blockquote type=3D"cite"><div>In the financial and/or =
> brokerage communities, there are internal networks<br>with enough 'high =
> value'/sensitive information to justify "air gap"<br>isolation from the =
> outide world. <br><br>Also, in those industries, there are =
> 'semi-isolated' networks where<br>all external commnications are =
> mediated through dual-homed _application-<br>layer_ gateways. No =
> packet-level communications between 'inside' and<br>'outside'.  The =
> 'inside' apps onl know how to talk to the gateway; server-<br>side talks =
> only to specific (pre-determined) trusted hosts for the<br>specific =
> request being processed.  NO 'transparent pass-through' =
> in<br>either =
> direction.<br></div></blockquote></div><div><br></div>You're all missing =
> the point in grand style.  If you would stop trying to brag about =
> something that nearly everyone has done in their career and pay =
> attention to the topic you'd realize what my point was. This is the last =
> time I'm going to say this. <div><br></div><div>Not only do I know =
> well those networks, I was the admin responsible for the largest =
> commercial one (56k routes) in existence that I'm aware of. I was at one =
> point cooperatively responsible for a very large one in SEANet as well. =
> (120k routes, 22k offices) I get what you are talking about. That's not =
> what I am saying.</div><div><br></div><div>For these networks to have =
> gateways which connect to the outside, you have to have an understanding =
> of which IP networks are inside, and which IP networks are outside. Your =
> proxy client then forwards connections to "outside" networks to the =
> gateway. You can't use the same networks inside and outside of the =
> gateway. It doesn't work. The gateway and the proxy clients need to know =
> which way to route those packets. </div><div><br></div><div>THUS: =
> you can't have your own IP space re-used by another company on the =
> Internet without breaking routing. Duh.</div><div><br></div><div>RFC1918 =
> is a cooperative venture in doing exactly this, but you simply can't use =
> RFC1918 space if you also connect to a diverse set of other =
> businesses/units/partners/etc. AND there is no requirement in any =
> IP allocation document that you must use RFC1918 space. So acquiring =
> unique space and using it internally has always been legal and =
> permitted.</div><div><br></div><div>Now let's avoid deliberately =
> misunderstanding me again, alright?</div><div><br><div>
> <span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
> color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
> font-variant: normal; font-weight: normal; letter-spacing: normal; =
> line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
> 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
> 0px; -webkit-border-horizontal-spacing: 0px; =
> -webkit-border-vertical-spacing: 0px; =
> -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
> auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span =
> class=3D"Apple-style-span" style=3D"font-size: 12px; "><div =
> style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
> margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" style=3D"font: =
> normal normal normal 12px/normal Helvetica; ">-- </font></div><div =
> style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
> margin-left: 0px; "><font face=3D"Helvetica" size=3D"3" style=3D"font: =
> normal normal normal 12px/normal Helvetica; ">Jo =
> Rhett</font></div></span><span class=3D"Apple-style-span" =
> style=3D"font-size: 12px; ">Net Consonance : </span><span =
> class=3D"Apple-style-span" style=3D"font-size: 12px; ">net philanthropy =
> to improve open source and internet projects.</span><br><span =
> class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
> rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
> normal; font-variant: normal; font-weight: normal; letter-spacing: =
> normal; line-height: normal; orphans: 2; text-indent: 0px; =
> text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
> -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
> 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
> auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
> break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
> after-white-space; "><div><div><span class=3D"Apple-style-span" =
> style=3D"font-size: 12px; "><div style=3D"margin-top: 0px; margin-right: =
> 0px; margin-bottom: 0px; margin-left: 0px; =
> "><br></div></span></div></div></div></span></span><br =
> class=3D"Apple-interchange-newline">
> </div>
> <br></div></body></html>=
>
> --Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8--
>



More information about the NANOG mailing list