nanog mailing list archives
Re: Arguing against using public IP space
From: William Herrin <bill () herrin us>
Date: Tue, 15 Nov 2011 21:44:20 -0500
On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka () isc org> wrote:
Given that most NATs only use a small set of address on the inside it is actually feasible to probe through a NAT using LSR. Most attacks don't do this as there are lots of lower hanging fruit
Mark, My car can be slim-jimmed. Yet the lock is sufficiently operative in the security process that the two times the vehicle has been broken in to the vagrant put a rock through the window instead of jimmying the lock. That's what it MEANS when you say that there's lower hanging fruit to be found elsewhere. It means that the feature you're describing is operative in the process of obstructing an attacker. As an aside to the debate, I boldly suggest that any firewall vendor which actually implements LSR or any of the IP source route functionality anywhere in their code deserves to be tarred and feathered. The security implications of source routing have been long understood. Code which implements source routing has no business existing in a commercial firewall product where it could accidentally be called. Please, by all means, take this opportunity to out any such errors which you can document. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside comĀ bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Karl Auer (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space Dave Hart (Nov 16)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space William Herrin (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space -Hammer- (Nov 16)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space -Hammer- (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)