nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Why is RFC1918 space in public DNS evil?

From: Jim Mercer <jim () reptiles org>
Date: Mon, 18 Sep 2006 08:55:47 -0400

On Mon, Sep 18, 2006 at 08:36:44AM -0400, Daniel Senie wrote:

At 04:33 AM 9/18/2006, Jim Mercer wrote:

if the hosts inside the VPN can only be accessed by hostnames served up 
inside
the VPN, then it is more likely the users can be confident that their data
is actually traversing the VPN.

it works, or it don't.


Or, the user's computer is still caching information. Internet 
Explorer is does this, and other browsers may as well. I keep a link 
to a script on my Windows desktop labelled "Flush DNS" and wind up 
using it often. If the user is accessing sites across the VPN, and as 
another poster writes the VPN drops, packets containing juicy, 
private information could well leak out in places people didn't intend.

As risks go, this might not be too severe in many cases, but if you 
were doing a security assessment for sarbox or hippa, would you 
consider it safe? Do the remote sites indeed have filters blocking 
traffic to/from RFC1918 space that don't traverse the VPN?


maybe ut some null routes on the PC's for the blocks, and have them overridden
when the VPN comes up.  could be done as part of the install of the VPN
software/config?


-- 
[ Jim Mercer        jim () reptiles org        +971 50 436-3874 ]
[          I want to live forever, or die trying.            ]
Previous By Date Next
Previous By Thread Next

Current thread: