tech-net: Re: Replacing oddly networked NT machine

Subject: Re: Replacing oddly networked NT machine
To: Stephen Borrill <netbsd@precedence.co.uk>
From: Henry B. Hotz <hotz@jpl.nasa.gov>
List: tech-net
Date: 02/19/2003 16:59:45

At 3:05 PM +0000 2/17/03, Stephen Borrill wrote:
>On Mon, 17 Feb 2003, Greg A. Woods wrote:
>  > Renumbering really is the right thing to do here.  The current
>>  configuration is really badly broken.  It probably doesn't even work
>>  100% properly under M$-NT, though it might be harder to see the problems
>>  there.
>
>No, it's not the right thing. Arbitrary machines will probably want to be
>video-conferencing to other machines in the WAN or such like. At the
>moment those machines are set up to be part of the whole WAN; there are
>just security concerns regarding how much access external machines (in the
>WAN) will have. Renumbering and NATing will mean port redirection which is
>more administration.
>

I think the suggestion was for renumbering, but not for NAT.  If you 
were willing to do NAT then you could probably avoid renumbering.

>  > > As for the choices of IP addresses, this is part of a big WAN and we
>>  > aren't really free to use our own choice of private addresses (for
>>  > instance, if a direct IP connection was needed to another part of the WAN
>>  > we could clash).
>>
>>  Well then get the WAN admins to allocate you another /24 from 10/8!
>
>That will not be done. This is a _big_ WAN covering many, many sites and
>spread over a very large distance. The IP addresses allocated by the WAN
>people are effectively set in stone.

There must be some organization to how they are allocated that you 
can work with.  If you can say what that organization is then you can 
probably design routing rules to reflect it.  Heck if nothing else 
you can put in a bunch of host routes saying a, b, c, etc. are 
"inside" and everything else is "outside".  Maintaining that would be 
a nightmare though, hence the suggestion that you renumber to create 
some order you can live with.

My email is on the fritz so I haven't seen all the followups on this 
thread.  Appologies in advance if I'm out of order.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu