[unisog] Public or Private IP addresses?

Vijay S Sarvepalli VSSARVEP VSSARVEP at uncg.edu
Fri Oct 14 12:59:26 GMT 2005

Dont forget you can also do "one-to-one NAT" to avoid some of the 
For e.g. the whole block of
7.11.*.* (outside) <=> 10.11.*.* (private)

I like private addressing especially for RESNET.  Your mileage and others 
input might
Even some large ISP's like Cincinnati Bell with their ADSL solution 
provite private

gentuxx <gentuxx at gmail.com> 
Sent by: unisog-bounces at lists.sans.org
10/14/2005 02:04 AM
Please respond to
gentuxx at gmail.com; Please respond to
UNIversity Security Operations Group <unisog at lists.sans.org>

UNIversity Security Operations Group <unisog at lists.sans.org>

Re: [unisog] Public or Private IP addresses?

Hash: SHA1

Scott Genung wrote:

>At 05:43 PM 10/13/2005, Stejerean, Cosmin wrote:
>>I am wondering how the network is setup at other universities and what
>>people on the list think about advantages and disadvantages of picking 
>>over the other.
>We have used private address space at Illinois State for a number of 
>About 12K addresses we have in use today reside in 10. addressing. There
>are over 17K devices that currently connect to our campus network.
>We have a class B address space and migrated to private addressing many
>years ago (mid to late 90's) initially to support our migration from 
>ring to switched ethernet technologies. Today, we use it within our 
>side networks (residence halls, wireless, public jacks, etc).
>Using this model, we perform address translation at the edge of our 
>within the WAN. We use our public address space to support systems that
>need public addressability such as web and email servers and then reserve
>about 50 /24 subnets for address translation using NAT (a single public 
>address is dynamically mapped to a single private address if an 
>connection is established).
>Initially used to augment our public address space, we found that using
>private addressing greatly simplified our perimeter firewall policies. If
>the on-campus source address resides in private address space (ie: 10.), 
>use policy routing to direct this traffic to a firewall. If the source
>resides within public address space, this traffic bypasses the perimeter
>firewalls. Inbound traffic is directed to the firewalls based upon the
>translated address space. All traffic directed to translated addresses 
>inspected for state and then block traffic for which no state exists. 
>has been a very effective approach to blocking external reconnaissance
>We also use the 172.16. address space for systems that need to reside in
>private address space for which we do not want NAT. This address space is
>used by systems that do not need to be reached from off-campus (without a
>VPN client).
>At this point, the only application that we've encountered problems with
>private addressing has been video conferencing. In this case, we have 
>testing a gateway product that advertises a single public IP address. To
>dial inbound to campus to one of these endpoints, you would dial the 
>address associated with the gateway along with an h.164 extension. We 
>not had problems with video conferencing applications originating from an
>h.323 endpoint residing in private address space.
>>Cosmin Stejerean
>>unisog mailing list
>>unisog at lists.sans.org
>Scott Genung
>Manager of Networking Systems
>Telecommunications and Networking
>Illinois State University
>124 Julian Hall
>Normal, IL 61790-3500
>sagenung at ilstu.edu
>Phone: (309)438-7258
>Web: http://www.telecom.ilstu.edu
>unisog mailing list
>unisog at lists.sans.org
FWIW, I came from an organization that was predominantly RFC1918
addressed.  Now I'm working in an environment that is predominantly
public addressed.  It is a complete culture shock.  Also, I'm a
security guy.  I know security systems, not networks ( I know
networks, but you know.....not like a true network guru).  Anyway, I
believe that Scott's situation is very sound.  IMHO, "private"
addressing should be kept private.  "Public" addressing should be kept
public.  It's really as simple as that.

In regards to your original question, I can't really speak to the
actual configuration of the respective networks I've dealt with, but I
think that being able to intelligently combine both public and private
IP spaces allows you to benefit from the advantages of both, while
minimizining the disadvantages of each.


- --
echo "hfouvyAdpy/ofu" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 34CE 2E97 40C7 EF6E EC40  9795 2D81 924A
6996 0993
Version: GnuPG v1.4.1 (GNU/Linux)


unisog mailing list
unisog at lists.sans.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20051014/66bbec5b/attachment-0001.htm

More information about the unisog mailing list