RE: using "reserved" IPv6 space

["Tony Hain" <alh-ietf () tndh net>]

Randy Bush wrote:
> > The fact that your prefix is a Secret Sauce that isn't known to the
> > rest of the world won't matter much to an attacker.  One 'ifconfig' on
> > whatever beachhead machine the attacker has inside your net, and it's
> > not Secret Sauce anymore, it's just another bottle of Thousand Island
> > dressing...
>
> security through obsurity is such tempting koolaid.  people fall for it
> continually and repeatedly.

Some people have different Layer 8-9 requirements than others. I am not
saying they are 'right', just that 'easier' is a relative term based on what
part of the problem is generating the most heat at the moment.

> i especially like the one where filtering ula at your border is thought to
be any
> different than filtering a bit of global at your border.

There is no difference in the local filtering function, but *IF* all transit
providers put FC00::/7 in bogon space and filter it at every border, there
is a clear benefit when someone fat-fingers the config script and announces
what should be a locally filtered prefix (don't we routinely see unintended
announcements in the global BGP table).   I realize that is a big IF, but
bogon filtering happens fairly consistently in IPv4, so there is no reason
to believe it will be less so in IPv6. 

Tony