[146439] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Sun Nov 13 16:29:09 2011
Date: Sun, 13 Nov 2011 22:27:56 +0100
From: Phil Regnauld <regnauld@nsrc.org>
To: William Herrin <bill@herrin.us>
In-Reply-To: <CAP-guGUBuvpNiUEe2c_rxa8CJJr-LM1ub0zEJrwsY-H0C5JJ1Q@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
William Herrin (bill) writes:
> If your machine is addressed with a globally routable IP, a trivial
> failure of your security apparatus leaves your machine addressable
> from any other host in the entire world which wishes to send it
> packets. In the parlance, it tends to "fail open." Machines using
> RFC1918 or RFC4193 space often have the opposite property: a failure
> of the security apparatus is prone to leave them unable to interact
> with the rest of the world at all. They tend to "fail closed."
>
> Think of this way: Your firewall is a deadbolt and RFC1918 is the lock
> on the doorknob. The knob lock doesn't stop anyone from entering an
> unlatched window, opening the door from the inside and walking out
> with all your stuff. Yet when you forget to throw the deadbolt, it
> does stop an intruder from simply turning the knob and wandering in.
>
That's not exactly correct. NAT doesn't imply firewalling/filtering.
To illustrate this to customers, I've mounted attacks/scans on
hosts behind NAT devices, from the interconnect network immediately
outside: if you can point a route with the ext ip of the NAT device
as the next hop, it usually just forwards the packets...
Phil
