[154865] in North American Network Operators' Group
RE: using "reserved" IPv6 space
daemon@ATHENA.MIT.EDU (Tony Hain)
Sat Jul 14 18:45:47 2012
From: "Tony Hain" <alh-ietf@tndh.net>
To: "'Randy Bush'" <randy@psg.com>,
<valdis.kletnieks@vt.edu>
In-Reply-To: <m2ehoe9fmz.wl%randy@psg.com>
Date: Sat, 14 Jul 2012 15:45:06 -0700
Cc: 'North American Network Operators' Group' <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Randy Bush wrote:
> > The fact that your prefix is a Secret Sauce that isn't known to the
> > rest of the world won't matter much to an attacker. One 'ifconfig' on
> > whatever beachhead machine the attacker has inside your net, and it's
> > not Secret Sauce anymore, it's just another bottle of Thousand Island
> > dressing...
>
> security through obsurity is such tempting koolaid. people fall for it
> continually and repeatedly.
Some people have different Layer 8-9 requirements than others. I am not
saying they are 'right', just that 'easier' is a relative term based on what
part of the problem is generating the most heat at the moment.
>
> i especially like the one where filtering ula at your border is thought to
be any
> different than filtering a bit of global at your border.
There is no difference in the local filtering function, but *IF* all transit
providers put FC00::/7 in bogon space and filter it at every border, there
is a clear benefit when someone fat-fingers the config script and announces
what should be a locally filtered prefix (don't we routinely see unintended
announcements in the global BGP table). I realize that is a big IF, but
bogon filtering happens fairly consistently in IPv4, so there is no reason
to believe it will be less so in IPv6.
Tony
