nanog mailing list archives
Re: Arguing against using public IP space
From: William Herrin <bill () herrin us>
Date: Tue, 15 Nov 2011 12:15:06 -0500
On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart <jeroen () mompl net> wrote:
William Herrin wrote:If your machine is addressed with a globally routable IP, a trivial failure of your security apparatus leaves your machine addressable from any other host in the entire world which wishes to send itIsn't that the case with IPv6? That the IP is addressable from any host in the entire (IPv6) world? And isn't that considered a good thing?
Hi Jeroen, Yes, according to almost every application developer asked it's a good thing. Me? I'm not so sure. Historically, enterprises moved away from global addressability even when IP addresses were free, *before* address scarcity became an issue. There's a lesson in there somewhere and I'm not convinced it's that "they were dumb."
I don't think that being addressable from anywhere is a security hole in and of itself. It's how you implement and (mis)configure your firewall and related things that is the (potential) security hole. Whether the IP is world addressable or not
I agree. That your computer is globally addressable is NOT a security hole. It does not directly or indirectly make you vulnerable to attack. But the inverse doesn't follow. That your computer is not globally addressable ADDS one layer of security in a process you hope has enough layers to prevent an attack from penetrating. And make no mistake: successful security is about layers, about DEPTH. You can seek layers from other sources but a shallow security process will tend to be easily breached. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside comĀ bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Ray Soucy (Nov 15)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Jeff Kell (Nov 13)
- Re: Arguing against using public IP space Cameron Byrne (Nov 13)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Jeroen van Aart (Nov 14)
- Re: Arguing against using public IP space William Herrin (Nov 15)
- Re: Arguing against using public IP space Michael Sinatra (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Have they stopped teaching Defense in Depth? Jay Ashworth (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Mark Andrews (Nov 15)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 15)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- RE: Have they stopped teaching Defense in Depth? Jamie Bowden (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)
- Re: Have they stopped teaching Defense in Depth? William Herrin (Nov 16)
- Re: Have they stopped teaching Defense in Depth? Owen DeLong (Nov 16)