[unisog] Public or Private IP addresses?

gentuxx gentuxx at gmail.com
Fri Oct 14 06:04:43 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Genung wrote:

>Cosmin,
>
>At 05:43 PM 10/13/2005, Stejerean, Cosmin wrote:
>
>>I am wondering how the network is setup at other universities and what
>>people on the list think about advantages and disadvantages of picking one
>>over the other.
>
>
>We have used private address space at Illinois State for a number of years.
>About 12K addresses we have in use today reside in 10. addressing. There
>are over 17K devices that currently connect to our campus network.
>
>We have a class B address space and migrated to private addressing many
>years ago (mid to late 90's) initially to support our migration from token
>ring to switched ethernet technologies. Today, we use it within our client
>side networks (residence halls, wireless, public jacks, etc).
>
>Using this model, we perform address translation at the edge of our network
>within the WAN. We use our public address space to support systems that
>need public addressability such as web and email servers and then reserve
>about 50 /24 subnets for address translation using NAT (a single public IP
>address is dynamically mapped to a single private address if an off-campus
>connection is established).
>
>Initially used to augment our public address space, we found that using
>private addressing greatly simplified our perimeter firewall policies. If
>the on-campus source address resides in private address space (ie: 10.), we
>use policy routing to direct this traffic to a firewall. If the source
>resides within public address space, this traffic bypasses the perimeter
>firewalls. Inbound traffic is directed to the firewalls based upon the
>translated address space. All traffic directed to translated addresses are
>inspected for state and then block traffic for which no state exists. This
>has been a very effective approach to blocking external reconnaissance
>activities.
>
>We also use the 172.16. address space for systems that need to reside in
>private address space for which we do not want NAT. This address space is
>used by systems that do not need to be reached from off-campus (without a
>VPN client).
>
>At this point, the only application that we've encountered problems with
>private addressing has been video conferencing. In this case, we have been
>testing a gateway product that advertises a single public IP address. To
>dial inbound to campus to one of these endpoints, you would dial the public
>address associated with the gateway along with an h.164 extension. We have
>not had problems with video conferencing applications originating from an
>h.323 endpoint residing in private address space.
>
>>Regards,
>>
>>Cosmin Stejerean
>>
>>
>>
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>
>
>
>Scott Genung
>Manager of Networking Systems
>Telecommunications and Networking
>Illinois State University
>124 Julian Hall
>Normal, IL 61790-3500
>
>sagenung at ilstu.edu
>Phone: (309)438-7258
>Web: http://www.telecom.ilstu.edu
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>
FWIW, I came from an organization that was predominantly RFC1918
addressed.  Now I'm working in an environment that is predominantly
public addressed.  It is a complete culture shock.  Also, I'm a
security guy.  I know security systems, not networks ( I know
networks, but you know.....not like a true network guru).  Anyway, I
believe that Scott's situation is very sound.  IMHO, "private"
addressing should be kept private.  "Public" addressing should be kept
public.  It's really as simple as that.

In regards to your original question, I can't really speak to the
actual configuration of the respective networks I've dealt with, but I
think that being able to intelligently combine both public and private
IP spaces allows you to benefit from the advantages of both, while
minimizining the disadvantages of each.

HTH

- --
gentux
echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40  9795 2D81 924A
6996 0993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDT0p7LYGSSmmWCZMRAqLdAJ9L6k0I1aj2rILjj2SSW9VHrlOqyQCgjF/T
GSsKYn/vrWuYWRqdFh72SvU=
=0Pnl
-----END PGP SIGNATURE-----



More information about the unisog mailing list