[146434] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Sun Nov 13 12:49:15 2011
In-Reply-To: <201111131638.pADGcoiu007448@mail.r-bonomi.com>
Date: Sun, 13 Nov 2011 11:48:06 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, Nov 13, 2011 at 10:38 AM, Robert Bonomi
<bonomi@mail.r-bonomi.com> wrote:
> On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis@packetnexus.com> wrote;
> In addition, virtually _every_ ASN operator has ingress filters on their
> border routers to block almost all traffic to RFC-1918 destinations.
Well, when we are talking about selection of IP addresses as a
supposed security feature...
the view that "your ASN operator probably has ingress filters" is an
optimistic one.
The relevant question if you expect "private IP" to be a security
feature is: "Can you legitimately rely on your ASN operator having
ingress filters on border routers to block your RFC1918 destinations
from remote access" ?
And the proper answer is NO, you cannot rely on that; if your
network design relies on this assumption, then it is not secure. If
your router is compromised, an intruder can announce your private
RFC1918 IP address space through a tunnel.
If an intruder is a conspirator with one of your peer networks, they
can conspire with your peer to allow an RFC1918 announcement from your
network.
Or create a static route for a RFC1918 subnet on your network.
In other words, your use of RFC1918 address space alone does not
create security. Your RFC1918 network actually _does_ need
isolation separate and apart from the address space, for you to have
reliable security, you still need a firewall, proxy, or NAT device
of some form, with the private network isolated from the public one,
even when using private IPs.
--
-JH
