Re: Arguing against using public IP space

[Cameron Byrne <cb.list6 () gmail com>]

On Sun, Nov 13, 2011 at 12:13 PM, William Herrin <bill () herrin us> wrote:
> On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi
> <bonomi () mail r-bonomi com> wrote:
> > On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis () packetnexus com> wrote;
> > > http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
> >
> > Any article that claims a /12 is a 'class B', and a /16 is a 'Class C', is
> > DEFINITELY 'flawed'.
>
> Hi Robert,
>
> Give the chart a second look. 192.168.0.0/16 (one of the three RFC1918
> spaces) is, in fact, a /16 of IPv4 address space and it is, in fact,
> found in the old "class C" range. Ditto 172.16.0.0/12. If there's a
> nitpick, the author should have labeled the column something like
> "classful area" instead of "classful description."
>
>
> On Sun, Nov 13, 2011 at 10:36 AM, Jason Lewis <jlewis () packetnexus com> wrote:
> > I've always looked at private IP space as more of a
> > resource and management choice and not a security feature.
>
> Hi Jason,
>
> If your machine is addressed with a globally routable IP, a trivial
> failure of your security apparatus leaves your machine addressable
> from any other host in the entire world which wishes to send it
> packets. In the parlance, it tends to "fail open." Machines using
> RFC1918 or RFC4193 space often have the opposite property: a failure
> of the security apparatus is prone to leave them unable to interact
> with the rest of the world at all. They tend to "fail closed."

This "fail open" vs "fail closed" is a very good characterization of
the situation.  While many IPv4 situations requires RFC1918 addresses
due to scarcity, so it is a moot point, this fail open vs closed
argument applies very well to why one should consider IPv6 ULA
addresses in certain specific scenarios.  If the system does not need
to speak to the outside world, a ULA is frequently the right choice to
leverage this "fail closed" benefits, which IMHO outstrip any
advantages due to "not having to renumber when requirements change" or
whatever else the religiously anti-ULA folks have to say.

CB

> Think of this way: Your firewall is a deadbolt and RFC1918 is the lock
> on the doorknob. The knob lock doesn't stop anyone from entering an
> unlatched window, opening the door from the inside and walking out
> with all your stuff. Yet when you forget to throw the deadbolt, it
> does stop an intruder from simply turning the knob and wandering in.
>
> Regards,
> Bill Herrin
>
>
> --
> William D. Herrin ................ herrin () dirtside com  bill () herrin us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004