nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Globally unique versus globally routable (was RE: RFC1918)

From: Sean Donelan <sean () donelan com>
Date: 2 Jan 2001 12:49:22 -0800


Using RFC1918 space also gets you an IP range where the outside world has
no route to it -- Sorry, but no packets are not getting there, ergo no way
to hack.

At that point, just by use of simple routing, you've effectively
eliminated 100% of attacks from the outside, and you only have to worry
about inside.  The front door is secure, now work on the back door.


One of the things which has always annoyed me about this argument was
people making the assumption that routing of addresses and registration
of addresses was related.

You can have a globally unique address, registered with an address registry
(arin, ripe, apnic), which is not routed on the Internet.

You can have a "private" shared address, which is routed on the Internet.
People who can't figure out how to filter, also can't figure out how to
filter RFC1918 addresses.  So route leaks of RFC1918 space are common.

If your filters are properly configured, there is no difference in the
security of RFC1918 addresses or globally unique addresses.

What makes RFC1918 addresses "secure" isn't the addresses, but the route
filters.  If your filters aren't properly configured, there is no difference
in the security of globally unique addresses or RFC1918 addresses.

Personally, I prefer to always use globally unique addresses whether or
not they are announced on the Internet because they cause less problems
(security, operational, etc) problems when a route does leak.  The problem
with RFC1918 addresses, is if you an accidental route leak, you have a fairly
high probability of getting nailed by someone else using the same address.
Humans have an annoying habit of choosing the same "easy to remember" private
addresses.

If any security consultant tells you your computers are secure because they
are using RFC1918 addresses, I would suggest grabbing your wallet and running.
And, yes I've heard security consultants from the "Big 5" firms say exactly
that.

Note: I did not say either RFC1918 addresses or globally unique addresses
were secure, only that there is no difference in the level of security between
them.
Previous By Date Next
Previous By Thread Next

Current thread: