Re: RFC1918 addresses to permit in for VPN?

[Randy Bush <randy () psg com>]

> > > No, but putting your car on a private road that you need to circumvent
> > > several roadblocks to reach IS a pretty good deterrent to its being in an
> > > accident.
> >
> > I doubt the roadblocks are anything serious in most cases; if all
> > you're doing is RFC1918 addressing, then source-routing on the
> > attacker's side can probably make your box theirs in short order. Most
> > people of this ilk I've encountered think so highly of RFC1918
> > addressing as a security measure that they blindly assume no other
> > precautions are necessary. I would hope that no-one on this list would
> > stoop to *that* level of stupidity. Presenting a "security by
> > obscurity" argument is bad enough.
>
> Blocking source-routed packets at the borders will stop this in short
> order, except for those of you who peer with people who require "loose
> source routing".  (Randy, I believe it was Verio that required this, am I
> mistaken?)

yes, but the sub-discussion is quite bogus.  lsr is not required to get
through a nat.  the nat presents an outer address that maps directly to the
inner address.  attack the outer address directly and you have attacked the
inner address.  life is simple.

that's all a nat does, translate addresses.  again, changing your car's
license plates does not make it less vulnerable to accidents.

people commonly confuse nats with packet filters, stateful filters, algs,
etc.  of course the readers of this list would not be so easily confused.

randy