RE: NOC servers with public/private ip address

Roeland_M.J_Meyer · August 14, 2001, 11:59pm

The demonstration is easy.

1) Convince them that it is really no-goodnik to show private addrs on the
Internet.
2) then make them believe it religiously.
3) then show them a traceroute and explain that everyone on the planet has
traceroute.

The only reasonable conclusion, from that sequence, is that ALL routers and
routing hosts need a static IP addr.

Chris_Woodfield2 · August 15, 2001, 2:40pm

If you're talking about assigning RFC1918 space to router interfaces that
transit traffic, a la @home, keep in mind that this can break PMTU-D, and
makes for messy (and slow) traceroutes when external hosts try to resolve
unresolvable reverse DNS entries.

If you're talking about giving the workstations in your
NOC private IP addresses, using NAT to access your core routers, I see no
more a problem with that than I do with people using home DSL routers that
utilize NAT.

-C

Valdis_Kletnieks · August 15, 2001, 3:01pm

There are those who would say using a NAT on a DSL router is evil.

A better solution would be to have your NOC, your status monitoring
systems, your routers, your switches - all connected to a private
subnet without using NAT. The LAST thing you want in the middle of a
crisis is trying to debug a NAT problem

Whether to number your management network with a /24 out of RFC1918
space, or a /2something out of your own address space, and how heavily
firewalled/isolated to make it, will depend on your paranoia level and
how it balances against ease-of-use concerns - if you have a fully isolated
management net, it's more secure, but a bitch to fix things from home

Jeff_Gehlbach · August 15, 2001, 3:07pm

Using a NAT in a NOC situation makes audit trails harder to maintain,
as all administrative connections to your network devices will appear
to come from (one of) the address(es) of the NAT device.

Valdis_Kletnieks · August 15, 2001, 3:18pm

Right. That too - that's why I advised against it. Choices I see
as reasonable:

1) A totally isolated management net in 1918 space.
2) A totally isolated management net in your space.
3) A firewalled management net in your space.
4) A management net in 1918 space, and a bastion host that lives in the
1918 space and your space to get stuff in/out with (no direct connections
available - copy stuff to the bastion from one side, then copy out from
the other).

Of course, for options (3) and (4) you need to have a very clear
understanding of how you are handling security for the management net.

And for options (1) and (2), you need to be careful that it *does*
stay isolated - all it takes is one router that's forwarding packets
for it to change into (3) or (4).