[arin-ppml] An article of interest to the community....
owen at delong.com
Thu Sep 1 17:27:13 EDT 2011
On Sep 1, 2011, at 8:35 AM, Chris Engel wrote:
>>> When STLS was being developed, the AC was very careful to specify that
>>> merely listing resources for sale on STLS or through another medium was
>>> not in itself to subject a resource holder to a section 12 review or any
>>> procedure for revocation. Neither, however, was such listing intended to
>>> provide a safe harbor against ARIN proceeding with any such action
>>> based on other independent data or investigation.
>>> In other words, while we don't want listing your addresses to flag you for
>>> an audit, we also don't want to create a situation where merely listing
>>> addresses gives you an exemption from policy.
>> Hi Owen,
>> In the real world, the real corporate world at least, the idea of every
>> workstation having a real public IP address went away more than a decade
>> for the most part.
>> Same thing in the residential world.
>> In fact, my guess is that you would only see such profligate use of IP
>> addresses in public or academic environments.
> I can't speak for the residential or academic world but in the corporate world this rings true to my experience. We do business with alot of Fortune 1000's and a fair number of them put you through a security review/audit in order to qualify you as a vendor. Almost every one I've been through has a control to the effect of "Your company must utilize NAT & RFC1918 space" . If you don't do that, you fail the control and possibly the audit. Whether you agree with it or not, it IS an accepted standard in enterprise security these days.
> Chris Engel
Considering NAT does nothing for security, that's just proof that most enterprise policy is not related to reality.
There's a small argument that can be made for NAT improving privacy.
There's a pretty good argument for NAT's detrimental effect on security for the same reasons it is beneficial to privacy. It obscures audit trails, complicates tracing of malicious packets, etc.
Yes, NAT has been in widespread use in the corporate environment for years. Yes, I've seen this silliness hit and I've seen organizations create a dysfunctional network segment just to act as a gateway to these silly organizations that insist on it.
I've also watched a lot of these environments wrap themselves hard around the axel when their two uses of RFC-1918 collided.
More information about the ARIN-PPML