ip classless?

["Behm, Jeffrey L." <BehmJL () bvsg com>]

I'm wondering, and perhaps this isn't the right forum, but...what are the
*security* implications of changing "no ip classless" to "ip classless" in a
Cisco Router IOS. The router is the perimeter router, between the DMZ and
the Internet.

I found http://www.networkking.net/out/IPClassless.php (a humorous, but
informative read, thanks Bernard) which, to me, says, if you break a class
into pieces, you have to tell the router about every single piece of the
class, otherwise the router will simply drop packets to destinations (in
that class) you haven't told the router about. However, the article in the
above URL deals with RIP, whereas my case only deals with static routing.

So, to extrapolate that out to just static routing, do the same rules apply?
We are arguing that rather than having to specify how to route all the
specific destinations in that class (some inside, but most out to the
Internet), that one could just specify static routes (to those destinations
we know are on inside) to the inside interface, and enable "ip classless"
and let it direct the "other stuff" to the default route, i.e. out to the
Internet.

We feel more comfortable simply using multiple static routes to get that
class routed correctly, so this question is mostly academic at this point. I
guess the underlying problem we have is that just because we don't fully
understand "ip classless" we feel *more* secure using static routes. The
question is, do they accomplish exactly the same thing, or should we be
paranoid regarding the "ip classless?" Could someone bounce packets
off/through the router by having ip classless enabled, whereas they couldn't
if it was disabled?

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards