[146430] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Robert Bonomi)
Sun Nov 13 11:39:03 2011
Date: Sun, 13 Nov 2011 10:38:50 -0600 (CST)
From: Robert Bonomi <bonomi@mail.r-bonomi.com>
To: nanog@nanog.org
In-Reply-To: <CA+buB7eG7z0kxh-UZgJqvE8pQqFwY3iRkS+Up7buCLqTi5Dctg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis@packetnexus.com> wrote;
>
> I don't want to start a flame war, but this article seems flawed to
> me.
Any article that claims a /12 is a 'class B', and a /16 is a 'Class C', is
DEFINITELY 'flawed'.
> It seems an IP is an IP.
True. *BUT*, "some IP's are more equal than others", as Orwell would say.
>
> http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
>
> I think I could announce private IP space, so doesn't that make this
> argument invalid?
You likely would have a 'rude surprise' if you actually tried it.
It is an express violation of RFCs to announce routing for RFC-1918 space
-outside- of your own network.
In addition, virtually _every_ ASN operator has ingress filters on their
border routers to block almost all traffic to RFC-1918 destinations.
"Good net neighbor" operators also run egress filters that block almost all
outbound traffic with RFC-1918 _source_ addresses -- things like icmp 'un-
reachables' are an exception.
> I've always looked at private IP space as more of a
> resource and management choice and not a security feature.
>
