Re: Linux router between LAN's
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 09/12/04
- Next message: Larry Cohen: "ddclient to update dynamic DNS entries at a dynamic DNS service"
- Previous message: Bob Tennent: "Re: Recommendations on 802.11g PCI card?"
- In reply to: James Knott: "Re: Linux router between LAN's"
- Next in thread: Jeroen Geilman: "Re: Linux router between LAN's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 11 Sep 2004 19:58:16 -0500
In article <Drt0d.294481$UTP.265758@twister01.bloor.is.net.cable.rogers.com>,
James Knott wrote:
>Moe Trin wrote:
>> Why not? If they're not offering access to their mail, news, or pop
>> servers except to customers connected directly to their network, it
>> adds a tiny amount of extra security.
>
>If they do that, then the customer has to consider something they might not
>know about, when setting up their local network.
Welllll... technically, the second paragraph on "Page 4" of RFC1918
says packets using 1918 addresses shouldn't cross "inter-enterprise"
links. In _theory_ the users are admining their own "enterprise", which
is separate from that of the ISP, and they should be doing "due diligence"
to see that there won't be a problem. (Yeah, I know.) In reality, the real
problem is when the user randomly chooses an RFC1918 address that the ISP
is _also_ using. That's called a 'crap shot' meaning it's pure chance. I
would think that if someone did an actual study of the matter, they would
find users choosing certain address ranges - most often 192.168.0.x,
192.168.1.x, and 10.x.x.x (though I don't have specific numbers - I'm only
going on what I recall seeing posted to Usenet by users), and maybe
172.16.x.x. An ISP would have less likelihood of a clash if they are
using the less common blocks (such as _other_ blocks in 172.16/12 and
192.168/16 ranges). Assuming a /24 is needed, there are 256 in 192.168/16,
and 4096 in 172.16/12. The odds of a home user choosing (for example)
172.19.223.x are very slim. I'd shy away from 10/8 if the users might
actually have to access it, because there is a much larger chance that
some users have their 2 or 3 host home network set for 10.0.0.0/8
because it looks impressive. Having been registrar on a /8, and worked
in network support there, I can say that a /8 is not impressive in fact.
I'd suspect that there is a greater chance of screwing it up, because
of netmask setup errors. Also, they forget that NO ONE ELSE is going to
see their addresses in packets, and therefore, no one will be impressed.
[access through telnet/ssh/tunnels into a login server]
>I'd like to see more of that in general. Then maybe we could access our
>mail servers, while off the ISPs network.
Lessee, you're at Rogers, and they're a pretty big provider. I'd guess
it would be hard to get word up to the "Powers That Be"(tm) that this
could be a valuable service to offer. It's quite common in industry,
and has been widely implemented there. At the previous place of
employment, we had both dialin and over-the-net access, authenticating
with a "one time password" (in fact, a SecureID system). I know that
would never fly at an ISP ($ecureID is EXPEN$IVE!!!), but SSH/SSL
access should be practical. Telneting in (no, I'm not going to try the
Berkeley 'r' commands) is less secure, but the likelihood of someone
sniffing your login/pass-phrase may not be as high as is commonly
believed. I'm ignoring the concept of attempting to do this from a
public computer which has a far higher likelihood of being r00ted and
having a keyboard sniffer installed.
>Currently if I want to send a message, without using webmail, I have to
>pass through my home network via VPN and then connect to my ISPs SMTP
>server.
Think of the amount of work you went to to set up that configuration,
and the value of the time and hardware. Multiply that by <mumble>
number of users would would like to so the same thing, and divide by
some 'economy of scale' factor, and an amortization period. Would you
be willing to pay that amount of money for that service? I dunno.
>As for incoming mail, I have my own IMAP server, using fetchmail to
>download mail from my ISP.
Similar here, though I'm using a fairly lengthy script in place of
fetchmail, so that I can do spam filtering before I download.
Old guy
- Next message: Larry Cohen: "ddclient to update dynamic DNS entries at a dynamic DNS service"
- Previous message: Bob Tennent: "Re: Recommendations on 802.11g PCI card?"
- In reply to: James Knott: "Re: Linux router between LAN's"
- Next in thread: Jeroen Geilman: "Re: Linux router between LAN's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
