James Knott said the following on 06/28/2011 04:09 PM:
You're confusing private addresses with NAT.
Many people do The private - "unrouteable" - addresses were part of the IP4 address structure long before NAT or the address shortage.
NAT uses private addresses to get around the address shortage.
I would put a "can" in there. It was never the intent.
However, there's no reason why you couldn't have a network using private addresses, without any consideration for accessing the internet.
Which was the original intent of this design feature. The "Motivation" section of RFC1981 explicitly says <quote> an increasing number of non-connected enterprises use this technology and its addressing capabilities for sole intra-enterprise communications, without any intention to ever directly connect to other enterprises or the Internet itself </quote> My ISP, for example, has their nation-wide internal router network built around private addresses. People used to comment that it seemed wasteful to 'burn' a subnet just to connect two routers. Well with 10.x.x.x it doesn't matter. Every cable company, every DSL company, can use **THE SAME** private network for their internal routing. That they don't might account for the address shortage!
You could also have some devices with more that one address, perhaps one one private, for talking to other local devices and a public address for talking to the rest of the world.
Excellent! The admin ports on your routers and switches, the network doing C&C and SNMP, which you very certainly don't want on the Bad Bad Word-Spanning Internet! As for NAT, that came later. The idea that every host on the 'Net should be able to communicate with every other, that NAT is "wrong", is, as far as I can see, a mis-impression. I have a number of clients that have many allocated public class Bs & class Cs. Yes they were that when they got them. But they are all used internally. None of these addresses reaches the outside world for security reasons. All are behind at least TWO layers of firewalls, maybe more. (Yes, I know, this is pre-CIDR terminology, but that was then, when class Bs were handed out for the asking.) No server or workstation can access the net directly. All go via an application proxy. Store-and-forward for email, proxies for the web access. Users cannot do either without explicit permission; authorization from their manager stating that it is part of their job function and explain how is required and is reviewed each year. This seems a common policy for brokerage and other financial firms. It is likely to be a requirement with PCI:DSS and in a few years, perhaps, with FFIEC or some other regulatory body. That company has two class Bs and about 60 class Cs. All _could_ be 'returned'. The cost would be 'renumbering' and changing settings on DHCP servers. The latter could be done very easily with little to no impact. Since they can't get any more addresses they are already using private addresses. Converting to all private addresses except for the gateways would not kill them. Those would amount to one class C There is **NO** NAT in any of this. I get to wonder how many networks that are internal and private, be they administrative/SNMP or isolated by proxies, there are using the address space? -- "I think there is a world market for about five computers." Thomas J. Watson, chairman of the board of IBM, 1943 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org