[consume-routing] IP addressing idea

Martin Ling martin at nodezero.org.uk
Thu Jan 11 16:09:44 GMT 2001 

On Wed, Jan 10, 2001 at 08:23:04AM -0000, Peter Galbavy wrote:
> 
> OK. Small words ... :-)

:-)

> Consume systems will be connected to LANs which may provide transit of some
> sort and also interconnection with node owners own networks. Regardless of
> using NAT, if we use RFC1918 address space, then if ever there appears an
> RFC1918 address in the consume *or* node owners network that is not NATed,
> that happens to coincide with an allocated consume IP address, those hosts
> will not be able to communicate. Seems unlikely ? Watch real networks and
> try to fix issues sometime.
> 
> The problem is neither the NAT nor the routeing; it is the use of "private"
> addresses across enterprises with different allocation and assignment
> policies.
> 
> If we get a /24 (say) in a PI block that is *not* routed, but only used for
> NAT, then these "overlapping" problems go away.
> 
> It is more a question of pollution and debugging than one of operational
> correctness.

Having read some confusion in the discussion of this, I think it might
be useful to consider a practical example (mine).

All my machines here were initially using 10.1.0.0/16 addresses. I had
picked these along with a group of my friends - we took the whole
10.0.0.0/8 space, used 10.0.0.0/16 for colo boxes and took one /16 each
for our home systems. Since we were always plugging boxes into to each
others' networks and tunneling around, this was great.

Then I encountered another bunch of people running an encrypted VPN,
which I wanted to be on. They were also using a subdivided 10.0.0.0 IP
space.

Now, to be on this: even if I do NAT at my gateway for all the systems
on my side of it, there are still hosts outside I cannot access because
they have the same IPs outisde as mine on my ethernet.

The only real way [0] for something like this to be resolved is for the
two VPNs to get their act together; in this case I just gave up on the
old scheme and took IPs for my machines that matched the new VPN.
Traffic now routes in and out to that directly; internet traffic is
still NATed at the gateway.

That's effectively the problem; if the new VPN had used a PI block, I
could have NATed happily at the gateway for it *or* taken some of those
PI addresses for the machines behind, if it were appropriate or
necessary for me to route directly.

(and now, the whole situation potentially comes round for me again if
consume uses 10.* addresses).


Martin

-- 
-----[ Martin J. Ling ]-----[ http://www.nodezero.org.uk ]-----

More information about the Consume-routing mailing list