[146561] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (William Herrin)
Tue Nov 15 21:44:55 2011
In-Reply-To: <20111116012029.66D99173B09C@drugs.dv.isc.org>
From: William Herrin <bill@herrin.us>
Date: Tue, 15 Nov 2011 21:44:20 -0500
To: Mark Andrews <marka@isc.org>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka@isc.org> wrote:
> Given that most NATs only use a small set of address on the inside
> it is actually feasible to probe through a NAT using LSR.
> Most attacks don't do this as there are lots of lower hanging fruit
Mark,
My car can be slim-jimmed. Yet the lock is sufficiently operative in
the security process that the two times the vehicle has been broken in
to the vagrant put a rock through the window instead of jimmying the
lock.
That's what it MEANS when you say that there's lower hanging fruit to
be found elsewhere. It means that the feature you're describing is
operative in the process of obstructing an attacker.
As an aside to the debate, I boldly suggest that any firewall vendor
which actually implements LSR or any of the IP source route
functionality anywhere in their code deserves to be tarred and
feathered. The security implications of source routing have been long
understood. Code which implements source routing has no business
existing in a commercial firewall product where it could accidentally
be called. Please, by all means, take this opportunity to out any such
errors which you can document.
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com=A0 bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
