We are an ISP with some internet routers. The question is if we should use
public or private ip address in NMS/NOC to manage these routers. If we want
to save ip address and use private ip address, we need to have private
address on the internet routers. Although I am almost religious that
internet routers should NEVER have private address in the routing table, I
still need more reasons to convince other people. Can someone pls tell me
the pros and cons of using private ip address? Is there any issue with
private ip address? What is the practice in your network?
Although I am almost religious that
internet routers should NEVER have private address in the routing table
That isn't quite correct. Internet routers should never "advertise" private
IP blocks to the global Intenet, I've never heard of anyone stating that
they should not have them in their routing table. I've worked in a few NOCs
in my short life and the NOC has always been on an isolated private subnet.
Acess to critical hardware was only allowed from behind that subnet.
Private addressing adds an extra layer of security as well as saving
valuable IP space.
If you can afford extra links for your backdoor connections, setting up
private IP addresses based NOC with direct interconnection to all nodes is
more secure.
You can turn off telnet/ssh access to the routers from outside and only
allow the private addresses to connect directly to your router(s). Drawback
is you can't directly connect to them from outside anymore, but you could
setup a gateway PC/firewall for this purpose.
I wouldn't worry about having private addresses in the routing tables as
long as you don't advertise them.
Make sure you also setup localloop IP addresses for each router such that
router connection are not based on any physical link. This would also make
load sharing across multiple same paths alot easier.
Private addressing adds an extra layer of security as well as saving
valuable IP space.
Be careful not to equate RFC1918 addresses with a security measure.
*Especially* on
publicly accessible routers.
The decision to use 1918 or not should be based upon wether that interface will
ever
send packets to the Internet. In this case it sounds like it won't so that
would be
a good thing to do.
If you also want that network to be secure, you should implement an appropriate
security
policy with filters/firewalls/intrusion det./etc. Hopefully that policy won't
require 1918 addresses
to be effective
It's that kind of mindset that leads to your customers being able to
manage your routers, simply because you had them secured by only being
manageable from a private space.
Please, oh please, not this conversation again. He did say 'layer',
implying there was more then one. You were the one that said 'only'. Lets
leave this alone.
Though I will leave it at, I've yet to personally see a secure system
where 1918 was one of the security measures.... Not that it's not
possible, just that it encourages poor behaviors.
