[Dshield] Architecture approach

Johannes B. Ullrich jullrich at euclidian.com
Fri Aug 12 11:11:27 GMT 2005


I think we are mixing up two issues here:

- NAT: Lots of people use it to share a single routed IP address among
several hosts. It will also make it harder to directly address (=target)
a system on the local network.

- Use of private address space in routers: Some ISPs use 10.x addresses
for internal routers, or for admin access in devices (e.g. DSL/Cable
modems). While there is no NAT involved here, it will still prevent
directly addressing the device from outside the ISPs network.

A bit ASCII art here:

Internet---border router----internal router----customer

The 'border router' and the 'customer' need a public routable IP
address. However, the 'internal router' does not need one.

So aside from saving IPV4 space, this will protect the router somewhat.

However, it may make it harder for users from other networks to use
diagnostic tools (as long as all the ingress/egress filters are in place).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050812/49bc2515/signature.bin


More information about the list mailing list