From owner-freebsd-isp Tue Jun 4 06:45:02 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA11933 for isp-outgoing; Tue, 4 Jun 1996 06:45:02 -0700 (PDT) Received: from marikit.iphil.net (map@marikit.iphil.net [203.176.0.4]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA11916 for ; Tue, 4 Jun 1996 06:44:55 -0700 (PDT) Received: (from map@localhost) by marikit.iphil.net (8.7.5/8.6.9) id VAA14583; Tue, 4 Jun 1996 21:44:21 +0800 Date: Tue, 4 Jun 1996 21:44:21 +0800 From: "Miguel A.L. Paraz" Message-Id: <199606041344.VAA14583@marikit.iphil.net> To: local-ir@apnic.net, inet-access@earth.com, freebsd-isp@freebsd.org, linuxisp@lightning.com Posted-To: comp.security.firewalls,comp.protocols.tcp-ip Subject: Strategy for conserving IP address allocations Reply-To: map@iphil.net Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [This message has also been posted.] Hello, I'm interested in implementing firewalls, not for security, but for conserving IP addresses. As an ISP, I want to limit IP address usage, and want to give large IP address blocks to downstream ISPs only. So far, I've had success with using the RFC 1918 space (192.168.0.0 and company) for client networks. However, this requires application level proxies for everything that has to get out. Up to now, it has been fine, since proxies are readily available for WWW and NNTP, the TIS plug-gw is fine for apps like irc, and e-mail requires no proxies. Now, I want to make the use of RFC 1918 space REQUIRED -- that is, it is official company policy NOT to give world- routable IP addresses to non-ISPs. However, I know there will be the demand for apps that require real IPs. (Any success story with things like 'udprelay'? Expensive Network Address Translators are out of the question.) For these, I want to assign a small pool of real IPs, dynamically assigned from a free pool. This is much like how dynamic IPs are assigned to dialup PPP users, except in this case, I'm assigning larger chunks, like /28's to /26's. Assume that my internal routers can handle the routing updates for these via OSPF. The main problem I foresee is the client-end software, mostly Windows 3.1 (Trumpet Winsock), Windows for Workgroups, and Windows 95 clients, which AFAIK can only assign one IP per interface. Ideally, I want these systems to respond to both the 192.168.0.x addresses for internal purposes and Intranets, and the 203.176.x.x (my APNIC-assigned networks) for the apps that want real IP, at the same time. If not, at least a convenient way to switch between the two sets of IPs, since the router can have multiple IPs on the same Ethernet interface and server as gateway between the two. When the interface IP changes, the default router should change, too. Any comments or suggestions? I think the first hurdle to overcome is making end-user systems respond to more than one IP -- I'd appreciate any clues on how to do it, if possible. After that, I would suppose a DHCP server on the network or router can assign the real IPs. Anyone doing this in the real world? My available tools are Cisco routers, and Linux and FreeBSD systems. [Posted to comp.security.firewalls and comp.protocols.tcp-ip. Posted to local-ir@apnic.net, the APNIC mailing list, since I want to follow the "spirit of the law" when it comes to conserving IP allocations; I'm currently at /20, but want to stop at /19. Posted to inet-access@earth.com, freebsd-isp@freebsd.org, and linuxisp@lightning.com to see if other ISPs (especially with my platforms) are doing, or are contemplating it] Thanks! -- miguel a.l. paraz iphil communications, makati city, tech problems, to philippines.