Re: The Department of Work and Pensions, UK has an entire /8 nanog () nanog org

[Jo Rhett <jrhett () netconsonance com>]

On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote:
> In the financial and/or brokerage communities, there are internal networks
> with enough 'high value'/sensitive information to justify "air gap"
> isolation from the outide world. 
>
> Also, in those industries, there are 'semi-isolated' networks where
> all external commnications are mediated through dual-homed _application-
> layer_ gateways. No packet-level communications between 'inside' and
> 'outside'.  The 'inside' apps onl know how to talk to the gateway; server-
> side talks only to specific (pre-determined) trusted hosts for the
> specific request being processed.  NO 'transparent pass-through' in
> either direction.


You're all missing the point in grand style.  If you would stop trying to brag about something that nearly everyone has 
done in their career and pay attention to the topic you'd realize what my point was. This is the last time I'm going to 
say this. 

Not only do I know well those networks, I was the admin responsible for the largest commercial one (56k routes) in 
existence that I'm aware of. I was at one point cooperatively responsible for a very large one in SEANet as well. (120k 
routes, 22k offices) I get what you are talking about. That's not what I am saying.

For these networks to have gateways which connect to the outside, you have to have an understanding of which IP 
networks are inside, and which IP networks are outside. Your proxy client then forwards connections to "outside" 
networks to the gateway. You can't use the same networks inside and outside of the gateway. It doesn't work. The 
gateway and the proxy clients need to know which way to route those packets. 

THUS: you can't have your own IP space re-used by another company on the Internet without breaking routing. Duh.

RFC1918 is a cooperative venture in doing exactly this, but you simply can't use RFC1918 space if you also connect to a 
diverse set of other businesses/units/partners/etc. AND there is no requirement in any IP allocation document that you 
must use RFC1918 space. So acquiring unique space and using it internally has always been legal and permitted.

Now let's avoid deliberately misunderstanding me again, alright?

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.