[This message is converted from WPS-PLUS to ASCII]
Hello all,
I see that the subject of handling multiple occurrences of the
same IP network numbers has come up again. We should make this
part of the firewall FAQ, I guess...
The most common cases where this occurs is an organization that
has umpteen network numbers (which are not InterNIC-registered)
that now needs to connect to the Internet in some way. What should be
put in the middle of the connection that will support the fact that
some IP addresses exist on BOTH sides of the configuration?
More importantly (everybody, hope that IPV6 comes in fast enough
to minimize this), how will we handle cases where N > 2 IP internetworks
have conflicting network numbers and need to be interconnected?
It is true that some companies have come out with specific system/
software combinations to solve this problem. Some products have
already been mentioned, others will be, I have no doubts about that.
Building such a product practically REQUIRES messing around in the depths
of a TCP/IP software stack in order to achieve the desired functionality.
Some people may fear the potential security impact of such software
modifications. I certainly would not feel confident if I was personally
asked to modify an IP stack to do this...
It should be remembered that IT IS POSSIBLE to achieve the desired
functionality with much more mundane technology IF:
a) the types of communications you need can all be proxied
b) you have access to "classical" proxy software that supports
auto-forwarding (a very simple functionality to implement,
many available proxies, commercial or free, do this)
c) you have two systems on which this proxy software can run
(the two systems can become a "firewall" if you want)
What needs to be done then is as simple as:
1. Configure each system to live in the IP environment of one side
of your "firewall configuration"
2. Configure an interconnection IP network (often a short Ethernet
cable between the two proxy machines). The IP network number
used on the interconnection network ONLY NEEDS TO BE KNOWN TO
THE TWO PROXY MACHINES.
3. Set up the proxy applications for the appropriate auto-forwarding
configuration.
I have written a document about proxies that (among other things)
describes this setup. You may wish to take a look at it:
http://ds.internic.net/internet-drafts/draft-rfced-info-chatel-00.txt
Like all internet drafts, it is also available by FTP and on several
mirrors:
ftp.is.co.za (Africa)
nic.nordu.net (Europe)
ds.internic.net (US East Coast)
ftp.isi.edu (US West Coast)
munnari.oz.au (Pacific Rim)
Of course, nobody should consider this document to be "The Truth" (beware
of what you read). It is just a set of opinions from one guy in a corner,
and exactly fits the "Request For Comments" concept...
Regards,
Marc Chatel
E-mail: Marc .
Chatel @
aeo .
mts .
dec .
com
Disclaimer: On this forum, I only speak for myself, nobody else.
Follow-Ups:
|
|
