RE: Internet accessible screened subnet - use public orprivateIPs?

[<lordchariot () earthlink net>]

What about when IPv6 becomes predominant on the net? 
Am I mistaken that there doesn't seem to be any concept of NAT in the IPv6
specs?
I could be wrong, but thought I found that somewhere?

Erik

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of David Lang
> Sent: Friday, July 22, 2005 8:27 PM
> To: Victor Williams
> Cc: Dave Piscitello; firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] Internet accessible screened subnet - 
> use public orprivateIPs?
>
> On Fri, 22 Jul 2005, Victor Williams wrote:
>
> > Everyone has missed the point.
> >
> > The whole issue of using NAT or not has nothing to do with 
> work associated 
> > with either.  The whole reason NAT was implemented was 
> because of a very 
> > finite (and quickly running out supply, dependending on who 
> you ask) number 
> > of publicly routable IP addresses.  Instead of assigning 
> every machine that 
> > wanted internet access a public IP address, it was just 
> more cost-effective 
> > (IP addresses cost money) to use NAT or 
> masquerading...whatever your lingo 
> > is...to address those hosts that only needed outgoing 
> access--who weren't 
> > serving content.
>
> however, for a DMZ (the question that was asked) you are typicaly 
> providing service to the Internet, and for that you run into 
> a bunch of 
> very interesting issues if you try to use NAT to reduce the 
> number of IP 
> addresses you use.
>
> David Lang
>
> > Whether you address your publicly accessible hosts directly 
> with public ip 
> > addresses or you use static NAT translations is up to the 
> preference of the 
> > administrator.  If you have enough public IP addresses and 
> $ isn't an object, 
> > then your preference for assigning them all public IP 
> addresses really 
> > doesn't make a difference.  If you don't have enough public 
> IP addresses and 
> > you have a limited budget and have to allow many services 
> on the internet 
> > with less public IP addresses, then it sounds like you'll 
> be using NAT or 
> > PAT.
> >
> > There is no clear-cut *better* way universally.  Several 
> different ways work 
> > if you have your head screwed on straight.
> >
> > My personal preference is to use private ip addresses 
> everywhere inside my 
> > firewall...even in my DMZ.  That way I control my public IP 
> addresses at one 
> > point only, and that's my firewall.  If for some reason I 
> change ISP's or my 
> > ISP wants to change my IP address range (which hasn't 
> happened in over 9 
> > years), I make my IP address changes in two spots: my 
> firewall(s), and my DNS 
> > servers.  Nothing else changes.  To me, it's simpler.  
> Others like to be 
> > complicated...so YMMV.
> >
> >
> > David Lang wrote:
> > > On Fri, 22 Jul 2005, Dave Piscitello wrote:
> > >
> > > > Isn't this a question of whether you want to route or NAT?
> > > >
> > > > A server that is Internet-facing has to have (or be 
> reachable via) a
> > > > public IP. If your ISP changes your block of public IP 
> addresses, you
> > > > have to change:
> > > >
> > > > 1) the mapping between your private IP addresses and the 
> new public
> > > > IP addresses (the static or 1:1 NAT case) or
> > > > 2) the IP addresses of all the servers, the IPs of the trusted and
> > > > external interfaces on the firewall, and the routing table (or
> > > > routing protocol configuration)
> > > >
> > > > (2) seems like a whole lot more work to me.
> > >
> > >
> > > first off, how frequently does your ISP reallocate your 
> address range?
> > > secondly you are ignoring all the other work that you need 
> to do when this 
> > > change takes place. with all that in mind the difference 
> in the amount of 
> > > work seems a lot less.
> > >
> > > and as I said below, the trade off for simplifying this 
> rare occurance of 
> > > changeing your IP range comes with day-to-day costs in running NAT.
> > >
> > > David Lang
> > >
> > > > On 21 Jul 2005 at 18:28, David Lang wrote:
> > > >
> > > > > On Thu, 21 Jul 2005, Paul D. Robertson wrote:
> > > > >
> > > > > > On Fri, 15 Jul 2005, Matt Bazan wrote:
> > > > > >
> > > > > > > Is there a preferred method of setting up a Internet facing
> > > > > > > screened subnet and the use of public or private IP addresses?
> > > > > > > Looking at redesinging our DMZ to only include public resources
> > > > > > > (www, smtp, imap, ftp).  Presently we use a private IP address
> > > > > > > range for this that is NAT'ed at our firewall.  Any reasons to
> > > > > > > change this policy to using public IPs in the DMZ?  Thanks,
> > > > > >
> > > > > >
> > > > > > If you're NATing to your internal network, then a rework is
> > > > > > necessary- public stuff should be on its own 
> (preferably) physical
> > > > > > subnet.
> > > > > >
> > > > > > IP addressing doesn't matter much, since you'll be letting stuff
> > > > > > through the most likely exploit vectors anyway.
> > > > >
> > > > >
> > > > > The thing I've been eharing for years about why NAT is 
> better is that
> > > > > you may change ISP's and end up with a new set of IP 
> addresses which
> > > > > are easier to change if you NAT.
> > > > >
> > > > > this may be true (I've actually never seen anyone 
> acutally DO this),
> > > > > but you are trading one-time headaches (which I 
> personally believe are
> > > > > no more severe then all the other changes that you need 
> to make when
> > > > > changing things, firewalls, DNS, NAT tables, etc) for 
> ongoing overhead
> > > > > (performance on your NAT device, troubleshooting, bugs in the NAT
> > > > > implementation, overloading of the NAT tables, etc)
> > > > >
> > > > > I would definantly have things that server the Internet 
> use public
> > > > > addresses, once you get behind that layer and have 
> devices that only
> > > > > talk to internal stuff, then make it all private addresses.
> > > > >
> > > > > David Lang
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -- 
> > > > > There are two ways of constructing a software design. 
> One way is to
> > > > > make it so simple that there are obviously no 
> deficiencies. And the
> > > > > other way is to make it so complicated that there are no obvious
> > > > > deficiencies.
> > > > >   -- C.A.R. Hoare
> > > > > _______________________________________________
> > > > > firewall-wizards mailing list
> > > > > firewall-wizards () honor icsalabs com
> > > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > firewall-wizards mailing list
> > > > firewall-wizards () honor icsalabs com
> > > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> -- 
> There are two ways of constructing a software design. One way 
> is to make it so simple that there are obviously no 
> deficiencies. And the other way is to make it so complicated 
> that there are no obvious deficiencies.
>   -- C.A.R. Hoare
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards