Re: SSH'ing between machines with private IPs
- From: Unruh <unruh-spam@xxxxxxxxxxxxxx>
- Date: 19 Apr 2006 15:59:03 GMT
"Richard E. Silverman" <res@xxxxxxxx> writes:
"Unruh" == Unruh <unruh-spam@xxxxxxxxxxxxxx> writes:
Unruh> The short answer is no. The longer answer is maybe. private
Unruh> ips are better called unroutable IPs.
That doesn't make sense -- any IP address is perfectly "routable;" entire
organizations with large, complex networks route these packets every day.
The are correctly called "private" addresses for their intended use: they
must be kept within private networks, since they are not globally unique
and hence cannot be used on the public Internet.
No All public routers throw them away precisely because of their problems.
Sure, internally you may be able to route them, but no public router will
do so (or rather should do so.)
So I repeat, private IPs are better called unroutable IPs.
Besides, these address ranges are defined in RFC 1918, entitled "Address
Allocation for Private Internets," which refers explicitly and repeatedly
to "private address space" and "private addresses."
>> Yeah, it's easy with dynamic DNS. Your routers or an application
>> running on the computahs updates the WAN IP address to a dynamic
>> DNS service provider. You don't need to know the IP address of the
>> other side of the link, just the FQDN (fully qualified domain
>> name).
Unruh> Unfortunately the updates to the public routing tables are
Unruh> usually very slow. A week is not uncommon.
I'm sorry, but this is nonsense. Convergence time for routing protocols
is commonly measured in seconds, a few minutes at the outside perhaps for
changes in the topology of the Internet at a large scale involving complex
BGP relationships.
Experiments indicate otherwise.
ALL DNS is cached. Otherwise the net would be constantly clogged up with
DNS queries. The caching time varies. The Autoritative source is supposed
to say how long the caching can go on for without renewal, but many do not
pay any attention to that.
Also, this has nothing to do with the text preceding your comment: he was
talking about the DNS; you responded with a comment about routing tables.
No, I was talking about DNS queries and DNS caching. That should have read
public DNS caches, I agree.
Now perhaps, you meant to say something about changes to the DNS, rather
than "routing tables." Even allowing that, your comment is still
incorrect. Changes to second-level delegations (as when you register a
new domain or transfer one) take two days to be completely effective once
actually done by the TLD nameservers, since that is the enforced TTL on
those NS records. But this fact is irrelevant to a service such as
You cannot enforce anything. It is up to the other side, the caching side
to honour your request. Many do not.
dyndns.org, which is changing records within their own zones, and can
change them just as quickly as it likes. These names can be updated
within seconds or minutes of a DHCP change on a client.
Of course it CAN be. The question is what IS, not what can be.
Unruh> depend not only on the dynamic dns but also on how often your
Unruh> local dns server updates its cache.
The "local DNS server" does not determine this; it is determined on a
per-RR basis by their TTL values, which are in turn set by the owner of
the containing zone -- in this case, the "dynamic DNS" service provider.
No, the TTL is a suggestion. The caching dns server must honour that
request for it to be effective. The evidence is that they do not.
--
Richard Silverman
res@xxxxxxxx
.
- Follow-Ups:
- Re: SSH'ing between machines with private IPs
- From: Richard E. Silverman
- Re: SSH'ing between machines with private IPs
- Prev by Date: Linspect
- Next by Date: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions question)
- Previous by thread: Linspect
- Next by thread: Re: SSH'ing between machines with private IPs
- Index(es):
Relevant Pages
|
|
