[33145] in North American Network Operators' Group
RE: RFC1918 addresses to permit in for VPN?
daemon@ATHENA.MIT.EDU (Jason Lewis)
Sun Dec 31 17:03:47 2000
Reply-To: <jlewis@jasonlewis.net>
From: "Jason Lewis" <jlewis@jasonlewis.net>
To: "'Stephen Stuart'" <stuart@mfnx.net>,
"'Derek J. Balling'" <dredd@megacity.org>
Cc: <nanog@merit.edu>
Date: Sun, 31 Dec 2000 16:59:36 -0500
Message-ID: <000701c07374$f7df6ff0$4d14a8c0@jasonlewis.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <200012312141.eBVLf3V01775@hi.tech.org>
Errors-To: owner-nanog-outgoing@merit.edu
I am a little lost as to what the real argument is.....
Don't use RFC1918 addresses on public networks.
or
Don't use RFC1918 addresses on as a security measure.
I don't use RF1918 address on public networks, but I do use them on my
backend systems and at some level I consider it a security measure. Those
backend machines don't have access to the Internet and the private
addressing helps ensure that is true. Is my thinking flawed?
jas
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Stephen Stuart
Sent: Sunday, December 31, 2000 4:41 PM
To: Derek J. Balling
Cc: nanog@merit.edu
Subject: Re: RFC1918 addresses to permit in for VPN?
> No, but putting your car on a private road that you need to circumvent
> several roadblocks to reach IS a pretty good deterrent to its being in an
> accident.
I doubt the roadblocks are anything serious in most cases; if all
you're doing is RFC1918 addressing, then source-routing on the
attacker's side can probably make your box theirs in short order. Most
people of this ilk I've encountered think so highly of RFC1918
addressing as a security measure that they blindly assume no other
precautions are necessary. I would hope that no-one on this list would
stoop to *that* level of stupidity. Presenting a "security by
obscurity" argument is bad enough.
Stephen
