At 03:26 AM 4/1/99 -0500, Bob Allisat wrote:
>
>Roeland Meyer wrote:
>+ In the case of a purely private network, built on an internal TLD (call
>+ it PNET), as you suggest, there is a bleed-though effect. Although the
>+ internal IP block is a private one (not visible outside that block) and
>+ the public IP addresses are only gateways, the node within that private
>+ network still have access to the Internet via the proxy-servers(gateways)
>+ Were the root-server to assign a public TLD, called PNET, then none of
>+ the internal nodes of the private PNET TLD would be able to access any
>+ node on the public PNET TLD. This is a Denial of Service issue. For this
>+ reason, the root-servers must acknowledge private TLDs, even if they
>+ don't list them in the roots.
>
> Not necessarily. Private addressing schemes can
> easily adjust any potential conflicts at their own
> gateway level with no effects or adjustment necessary
> from the world outside.
But current firewalls and proxy servers aren't setup that way. Nor are they
designed for this instance.
>It is just a matter of
> programming their software to allow a seamless and
> smooth transition and/or training the internal
> staff to enter some key combination or click on
> some radio button when they wish to "leave" the
> internal network and access some conflicting
> external address.
Simple Matter Of Programming (SMOP) = Simple Matter Of Caffeine (SMOC)
This isn't a simple problem. Then there is the matter of getting the
existing private nets to implement the new firewall software or the new DNS
configuration. Even I, am only running BIND4 in production and I guarantee
you that I am not the only outfit doing so. There are a *lot* of HP-UX v9.*
servers out there, that are running even cruftier versions of BIND than I
have. Not to mention all the old Suns running half the Internet.
Yes, I agree with you. An internal net TLD shouldn't be visible, or have an
effect, outside the firewall. Leastwise, not any more than the 192.x.y.z IP
reserved internal addresses. But DNS isn't as tightly controllable as
BGP4/OSPF, it's heading there. But, it ain't there yet (BIND8 and DNSSEC).
___________________________________________________
Roeland M.J. Meyer -
e-mail: mailto:[EMAIL PROTECTED]
Internet phone: hawk.lvrmr.mhsc.com
Personal web pages: http://staff.mhsc.com/~rmeyer
Company web-site: http://www.mhsc.com
___________________________________________________
KISS ... gotta love it!
