[unisog] Public or Private IP addresses?

Scott Genung sagenung at ilstu.edu
Fri Oct 14 02:49:08 GMT 2005


At 05:43 PM 10/13/2005, Stejerean, Cosmin wrote:
>I am wondering how the network is setup at other universities and what
>people on the list think about advantages and disadvantages of picking one
>over the other.

We have used private address space at Illinois State for a number of years. 
About 12K addresses we have in use today reside in 10. addressing. There 
are over 17K devices that currently connect to our campus network.

We have a class B address space and migrated to private addressing many 
years ago (mid to late 90's) initially to support our migration from token 
ring to switched ethernet technologies. Today, we use it within our client 
side networks (residence halls, wireless, public jacks, etc).

Using this model, we perform address translation at the edge of our network 
within the WAN. We use our public address space to support systems that 
need public addressability such as web and email servers and then reserve 
about 50 /24 subnets for address translation using NAT (a single public IP 
address is dynamically mapped to a single private address if an off-campus 
connection is established).

Initially used to augment our public address space, we found that using 
private addressing greatly simplified our perimeter firewall policies. If 
the on-campus source address resides in private address space (ie: 10.), we 
use policy routing to direct this traffic to a firewall. If the source 
resides within public address space, this traffic bypasses the perimeter 
firewalls. Inbound traffic is directed to the firewalls based upon the 
translated address space. All traffic directed to translated addresses are 
inspected for state and then block traffic for which no state exists. This 
has been a very effective approach to blocking external reconnaissance 

We also use the 172.16. address space for systems that need to reside in 
private address space for which we do not want NAT. This address space is 
used by systems that do not need to be reached from off-campus (without a 
VPN client).

At this point, the only application that we've encountered problems with 
private addressing has been video conferencing. In this case, we have been 
testing a gateway product that advertises a single public IP address. To 
dial inbound to campus to one of these endpoints, you would dial the public 
address associated with the gateway along with an h.164 extension. We have 
not had problems with video conferencing applications originating from an 
h.323 endpoint residing in private address space.

>Cosmin Stejerean
>unisog mailing list
>unisog at lists.sans.org

Scott Genung
Manager of Networking Systems
Telecommunications and Networking
Illinois State University
124 Julian Hall
Normal, IL 61790-3500

sagenung at ilstu.edu
Phone: (309)438-7258
Web: http://www.telecom.ilstu.edu 

More information about the unisog mailing list