nanog mailing list archives
Re: Arguing against using public IP space
From: Jimmy Hess <mysidia () gmail com>
Date: Sun, 13 Nov 2011 11:48:06 -0600
On Sun, Nov 13, 2011 at 10:38 AM, Robert Bonomi <bonomi () mail r-bonomi com> wrote:
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis () packetnexus com> wrote; In addition, virtually _every_ ASN operator has ingress filters on their border routers to block almost all traffic to RFC-1918 destinations.
Well, when we are talking about selection of IP addresses as a supposed security feature... the view that "your ASN operator probably has ingress filters" is an optimistic one. The relevant question if you expect "private IP" to be a security feature is: "Can you legitimately rely on your ASN operator having ingress filters on border routers to block your RFC1918 destinations from remote access" ? And the proper answer is NO, you cannot rely on that; if your network design relies on this assumption, then it is not secure. If your router is compromised, an intruder can announce your private RFC1918 IP address space through a tunnel. If an intruder is a conspirator with one of your peer networks, they can conspire with your peer to allow an RFC1918 announcement from your network. Or create a static route for a RFC1918 subnet on your network. In other words, your use of RFC1918 address space alone does not create security. Your RFC1918 network actually _does_ need isolation separate and apart from the address space, for you to have reliable security, you still need a firewall, proxy, or NAT device of some form, with the private network isolated from the public one, even when using private IPs. -- -JH
Current thread:
- Arguing against using public IP space Jason Lewis (Nov 13)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space David Walker (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space William Herrin (Nov 13)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- Re: Arguing against using public IP space Doug Barton (Nov 13)
- RE: Arguing against using public IP space Chuck Church (Nov 13)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- RE: Arguing against using public IP space Chuck Church (Nov 13)
- RE: Arguing against using public IP space McCall, Gabriel (Nov 14)
- Re: Arguing against using public IP space William Herrin (Nov 14)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)