Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
From jrh...@netconsonance.com Wed Sep 19 20:47:44 2012 Subject: Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org From: Jo Rhett jrh...@netconsonance.com Date: Wed, 19 Sep 2012 18:46:54 -0700 Cc: nanog@nanog.org To: Robert Bonomi bon...@mail.r-bonomi.com --Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote: In the financial and/or brokerage communities, there are internal = networks with enough 'high value'/sensitive information to justify air gap isolation from the outide world.=20 =20 Also, in those industries, there are 'semi-isolated' networks where all external commnications are mediated through dual-homed = _application- layer_ gateways. No packet-level communications between 'inside' and 'outside'. The 'inside' apps onl know how to talk to the gateway; = server- side talks only to specific (pre-determined) trusted hosts for the specific request being processed. NO 'transparent pass-through' in either direction. You're all missing the point in grand style. If you would stop trying = to brag about something that nearly everyone has done in their career = and pay attention to the topic you'd realize what my point was. This is = the last time I'm going to say this.=20 Not only do I know well those networks, I was the admin responsible for = the largest commercial one (56k routes) in existence that I'm aware of. = I was at one point cooperatively responsible for a very large one in = SEANet as well. (120k routes, 22k offices) I get what you are talking = about. That's not what I am saying. For these networks to have gateways which connect to the outside, you = have to have an understanding of which IP networks are inside, and which = IP networks are outside. Your proxy client then forwards connections to = outside networks to the gateway. You can't use the same networks = inside and outside of the gateway. It doesn't work. The gateway and the = proxy clients need to know which way to route those packets.=20 THUS: you can't have your own IP space re-used by another company on the = Internet without breaking routing. Duh. RFC1918 is a cooperative venture in doing exactly this, but you simply = can't use RFC1918 space if you also connect to a diverse set of other = businesses/units/partners/etc. AND there is no requirement in any IP = allocation document that you must use RFC1918 space. So acquiring unique = space and using it internally has always been legal and permitted. Now let's avoid deliberately misunderstanding me again, alright? --=20 Jo Rhett Net Consonance : net philanthropy to improve open source and internet = projects. --Apple-Mail=_C592EED8-365E-43DB-A1B1-35875736F2F8 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii htmlhead/headbody style=3Dword-wrap: break-word; = -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = divdivOn Sep 19, 2012, at 5:59 PM, Robert Bonomi = wrote:/divblockquote type=3DcitedivIn the financial and/or = brokerage communities, there are internal networksbrwith enough 'high = value'/sensitive information to justify air gapbrisolation from the = outide world. brbrAlso, in those industries, there are = 'semi-isolated' networks wherebrall external commnications are = mediated through dual-homed _application-brlayer_ gateways. No = packet-level communications between 'inside' andbr'outside'. nbsp;The = 'inside' apps onl know how to talk to the gateway; server-brside talks = only to specific (pre-determined) trusted hosts for thebrspecific = request being processed. nbsp;NO 'transparent pass-through' = inbreither = direction.br/div/blockquote/divdivbr/divYou're all missing = the point in grand style. nbsp;If you would stop trying to brag about = something that nearly everyone has done in their career and pay = attention to the topic you'd realize what my point was. This is the last = time I'm going to say this.nbsp;divbr/divdivNot only do I know = well those networks, I was the admin responsible for the largest = commercial one (56k routes) in existence that I'm aware of. I was at one = point cooperatively responsible for a very large one in SEANet as well. = (120k routes, 22k offices) I get what you are talking about. That's not = what I am saying./divdivbr/divdivFor these networks to have = gateways which connect to the outside, you have to have an understanding = of which IP networks are inside, and which IP networks are outside. Your = proxy client then forwards connections to outside networks to the = gateway.nbsp;You can't use the same networks inside and outside of the = gateway. It doesn't work. The gateway and the proxy clients need to know = which way to route those packets.nbsp;/divdivbr/divdivTHUS: = you can't have your own
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
On Sep 19, 2012, at 7:09 PM, Brett Frankenberger wrote: It works fine if the gateway has multiple routing tables (VRF or equivalent) and application software that is multiple-routing-table aware. If you are arguing that it is technically possible to build an environment in which every piece of software is aware at an application level whether or not a given service is inside the network or outside the network and thus eliminate issues with routing overlaps… uh, sure. I agree that you can do this in a very customized environment. Now if you want to suggest that most businesses with a diversity of applications and access methods should be doing this, in order to allow overlapping IP usage on the internet, I'm going to have to point and giggle. I really love how everyone keeps advancing these businesses should rebuild their entire infrastructure, at their cost, and with no benefit to themselves, so that I can use their IP space! arguments. Ya huh. Right. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
From: Jo Rhett jrh...@netconsonance.com Date: Wed, 19 Sep 2012 10:42:30 -0700 Subject: Re: The Department of Work and Pensions, UK has an entire /8 [[ sneck ]] And second, have you ever worked on a private intranet that wasn't connected to the internet through a firewall? Skipping oob networks for equipment management, neither have I. Yes, in fact, I have. grin In the financial and/or brokerage communities, there are internal networks with enough 'high value'/sensitive information to justify air gap isolation from the outide world. Also, in those industries, there are 'semi-isolated' networks where all external commnications are mediated through dual-homed _application- layer_ gateways. No packet-level communications between 'inside' and 'outside'. The 'inside' apps onl know how to talk to the gateway; server- side talks only to specific (pre-determined) trusted hosts for the specific request being processed. NO 'transparent pass-through' in either direction.
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote: In the financial and/or brokerage communities, there are internal networks with enough 'high value'/sensitive information to justify air gap isolation from the outide world. Also, in those industries, there are 'semi-isolated' networks where all external commnications are mediated through dual-homed _application- layer_ gateways. No packet-level communications between 'inside' and 'outside'. The 'inside' apps onl know how to talk to the gateway; server- side talks only to specific (pre-determined) trusted hosts for the specific request being processed. NO 'transparent pass-through' in either direction. You're all missing the point in grand style. If you would stop trying to brag about something that nearly everyone has done in their career and pay attention to the topic you'd realize what my point was. This is the last time I'm going to say this. Not only do I know well those networks, I was the admin responsible for the largest commercial one (56k routes) in existence that I'm aware of. I was at one point cooperatively responsible for a very large one in SEANet as well. (120k routes, 22k offices) I get what you are talking about. That's not what I am saying. For these networks to have gateways which connect to the outside, you have to have an understanding of which IP networks are inside, and which IP networks are outside. Your proxy client then forwards connections to outside networks to the gateway. You can't use the same networks inside and outside of the gateway. It doesn't work. The gateway and the proxy clients need to know which way to route those packets. THUS: you can't have your own IP space re-used by another company on the Internet without breaking routing. Duh. RFC1918 is a cooperative venture in doing exactly this, but you simply can't use RFC1918 space if you also connect to a diverse set of other businesses/units/partners/etc. AND there is no requirement in any IP allocation document that you must use RFC1918 space. So acquiring unique space and using it internally has always been legal and permitted. Now let's avoid deliberately misunderstanding me again, alright? -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
On Wed, 19 Sep 2012 18:46:54 -0700, Jo Rhett said: You're all missing the point in grand style. Given that the entire thread is based on somebody who missed the point in totally grand style and managed to get press coverage of said missing the point, I am starting to suspect that several people in the thread are doing so intentionally to see how hard they can troll the NANOG list without anybody catching on. pgpVkyGeR2uJn.pgp Description: PGP signature
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
On Wed, Sep 19, 2012 at 06:46:54PM -0700, Jo Rhett wrote: For these networks to have gateways which connect to the outside, you have to have an understanding of which IP networks are inside, and which IP networks are outside. Your proxy client then forwards connections to outside networks to the gateway. You can't use the same networks inside and outside of the gateway. It doesn't work. The gateway and the proxy clients need to know which way to route those packets. It works fine if the gateway has multiple routing tables (VRF or equivalent) and application software that is multiple-routing-table aware. Not disagreeing at all with the point many are making that not on the Internet doesn't mean not in use. Many people for good reason decide to use globally unique space on networks that are not connected to the Internet. But the idea that you *can't* tie two networks togethor with an application gateway unless the address space is unique is an overstatement. It's just harder. -- Brett
