Re: Large edu's doing NAT campus wide?

[Jeff Murphy <jcmurphy () BUFFALO EDU>]

I recall Indiana U presenting on a campus NAT service at the June'03 I2
Tech Update meeting. Here's the presentation:

http://www.ncne.org/training/techs/2003/0803/presentations/0803-davy1_files/v3_document.htm

slides 16 and 17.

IU's implementation was interesting in that they simply changed the
first octet to a 10 to make the service easy to deploy (slide 17). So
your 'normal' subnet would also have a private subnet overlayed on it
where the first octet was a 10. The departments could then selectively
deploy devices into either subnet based on the scope of service that the
device was offering.

I agree that the security aspects are debatable, but it's inline with
the conservative nature of security: permit only what's necessary. If a
device (LOM, KVM, printers, etc) don't need to be globally accessible,
yadda yadda.

From an address space conservation perspective, it has obvious benefits
and the same logic applies - if a device doesn't need global visibility,
then drop it in private space so you can give that address to a device
that does need that reachability. Like many U's (I suspect) we use
private address space for management console access and for VOIP. We
don't offer a NAT service for private address space and haven't offered
to route private address space around for departmental use.



jeff