[unisog] Public or Private IP addresses?

John Kristoff jtk at northwestern.edu
Fri Oct 14 18:13:57 GMT 2005


On Fri, 14 Oct 2005 10:39:36 -0500
"Stejerean, Cosmin" <cosmin at cti.depaul.edu> wrote:

> universities that have a large public IP range. I was wondering what
> other reasons universities in particular have for using NAT (dynamic
> or static).

I mentioned one example in my initial response, but here is some more
detail.  Here are just some of the reasons I've heard/seen used:

  o  to limit scope/reachability in the name of network security

  o  to avoid readdressing when switching providers

  o  to address new services (e.g. VoIP) into it's own, large CIDR block,
     often used to ease firewall rule maintenance at border points or to
     make it obvious what a host/service is by just looking at an address

  o  because some consultant or outside firm said using RFC 1918
     addresses are a best common practice (though no one tends to
     actually admit to this reason, someone you gave a lot of money
     to is often an influencing factor so I include it here :-)

  o  cannot get or do not think one can get more provider independent
     (PI) address space

  o  the prior network engineer(s) or organization set things up that
     way (never underestimate the momentum of an installed base)

Note, the way I've stated some of those reasons may be contentious.
I don't list them so people can tell us why it is a good or bad idea,
but rather just to list the reasons, good, bad or indifferent.  If
there are other novel reasons I missed I wouldn't mind hearing them.

> Static NAT will solve the problem of tracking machines but
> does it offer any advantage over using properly firewalled public IP
> addresses instead?

Depends on who you ask.  Theoretically it could offer some anonymity,
but most people who use NAT probably aren't doing it for that reason.
Technically it may mitigate some types of basic remote attacks.  The
problem is in the trade-offs and that is where the disputes arise.
Some feel the trade-offs of implementing NAT are so unacceptable (e.g.
complexity and transparency issues) that it is a non-starter.  Others
feel the trade-offs are acceptable.  Both can be made to work and both
can be implemented poorly.  Like many decisions, it often ends up being
made based on 10% technical reasons and 90% for theological reasons.

John


More information about the unisog mailing list