Cover V06, I06
Article

jun97.tar


New Messages

Please send letters via email to saletter@mfi.com.

Subject: Comments on article...
Author: Ernest Bowman-Cisneros

I have several comments on the article by Charles C. Bundy titled "Connecting LAN Users to the Internet Using Linux and IP Masquerading" (Sys Admin, January 1997; Vol. 6, No. 1).

My first comment regards the example IP numbers used in the text of the article (111.222.333.x) and the IP addresses shown in the figures, as being in use by VDOT. In both instances, Mr. Bundy has used addresses that are legitimate Internet numbers (111.0.0.0 being a class A address and 198.0.0.0 being a class C address; refer to RFC-1466, http://ds.internic.net/ds/dspg1intdoc.html). The use of IP addresses for "Private Networks" is covered in RFC-1918, which states:

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

The first block will be referred to as the "24-bit block," the second as "20-bit block," and the third as "16-bit" block. Note that (in pre-CIDR notation) the first block is nothing but a single class A network number, while the second block is a set of 16 contiguous class B network numbers, and third block is a set of 256 contiguous class C network numbers.

Your readers should be aware that homes and businesses that utilize the scheme outlined by Mr. Bundy need to use IP addresses in the above blocks for their private LANs. These IP numbers are special in that commercial gateways and routers have built-in filters to drop packets with these IP addresses, useful if your local LAN leaks packets out onto the Internet.

My other comment regards statements in the article alluding to the fact that crackers could initiate connections to machines within his LAN. In the scheme that Mr. Bundy describes, the IP masquerading prevents hosts outside the LAN from initiating connections to internal systems, by virtue that all incoming packets have the IP address of VDOT's gateway. Crackers could not succeed in breaking into any machine on VDOT's LAN unless they had already compromised the security of the gateway. In this respect, the gateway should not be considered a trusted host on the internal LAN and should not be allowed to initiate connections or accept connections from any host. Crackers could hijack existing open connections between Internet hosts and VDOT's internal LAN, or initiate a denial of service attack on their gateway. These kinds of attacks are more difficult to deal with.

My final comment regards the statement made by Mr. Bundy regarding broadcast traffic originating from his LAN. Broadcast traffic is meant to be seen on a network segment containing hosts in a single address space. Routers and gateways (and other such network devices) filter broadcast traffic when pushing packets from one network segment to another, and as such VDOT's ISP should never see any of their LAN's broadcast traffic.

Overall, Mr. Bundy's article was well written and provided useful information for persons wishing to connect their small business and home LAN to the Internet. I enjoy reading every issue Sys Admin, as there is always some little nugget of information that is new to me. Keep up the good work.

Ernest Bowman-Cisneros
Senior UNIX System Adminstrator
ebc@phy.duke.edu

Subject: Xi Graphics ad in Jan '97 issue
Author: Mike Adams <MADAMS3@WPO.HCC.COM> at Internet
Dear Sys Admin,

I have thoroughly enjoyed your magazine since September of 1995. The format and content have always been excellent.

Thus, I was surprised and irritated when I saw the ad from Xi Graphics on page 46 of the January 1997 issue. This ad tries the old technique of posing as editorial content in order to catch the reader's interest.

I am amazed that you would allow such drivel to be published in your otherwise fine magazine. Sure, there's no law against this type of ad. Sure, your readers will realize before long that it is in fact an ad. But it adds an air of cheapness to your first issue of 1997.

I understand that advertising is a requirement for you to continue publishing the magazine. I don't mind at all the ads that say "Here's what we have to offer, we think it's really great, here's how you can contact us for more info." If Xi Graphics' software is so great, why do they need to stoop to such tactics to market it? And why would Sys Admin put up with this kind of trash?

Please consider the impact that such advertising can have on your publication's image.

Thanks,
Mike Adams

Mr. Adams,
Thank you very much for your feedback. The issue you raise is a very difficult one to which we gave serious consideration before this ad was published. On the one hand, we owe it to our readers not to allow them to be misled about the difference between advertising and
Sys Admin's editorial content. On the other hand, we don't write copy or do design work for our advertisers - what they put in their ads is their responsibility. In the end, we agreed with Xi Graphics to modify this ad in a number of ways from the first draft we received to change the "look & feel" from that of our editorial text. We also added the word "Advertisement" prominently above the headline. We felt this would allow our readers to clearly differentiate it from our editorial content.

In the end, our readers are the final judges on how well we have toed this very fine line. We will strive to continue to provide you and all our readers with the highest quality information on UNIX systems administration, and ask that you excuse us for the occasional decisions which you might have made differently.

Edwin Rothrock
Publisher,
Sys Admin