[33168] in North American Network Operators' Group
Re: RFC1918 addresses to permit in for VPN?
daemon@ATHENA.MIT.EDU (Stephen Stuart)
Mon Jan 1 05:39:55 2001
Message-Id: <200101011037.f01AbmV11206@hi.tech.org>
To: mdevney@teamsphere.com
Cc: nanog@merit.edu
In-reply-to: Your message of "Mon, 01 Jan 2001 01:46:55 PST."
<Pine.LNX.4.21.0101010143500.10993-100000@core.teamplay.net>
Date: Mon, 01 Jan 2001 02:37:48 -0800
From: Stephen Stuart <stuart@mfnx.net>
Errors-To: owner-nanog-outgoing@merit.edu
> Using RFC1918 space also gets you an IP range where the outside world has
> no route to it -- Sorry, but no packets are not getting there, ergo no way
> to hack.
>
> Assuming various things that should be standard procedure -- dynamic NAT
> as opposed to static, blocking source routing, etc.
Blocking source routing should not be standard procedure; as I stated
earlier, source routing is much more valuable to me as a debugging
tool than RFC1918 addressing is as a "security" tool.
> At that point, just by use of simple routing, you've effectively
> eliminated 100% of attacks from the outside, and you only have to worry
> about inside. The front door is secure, now work on the back door.
100%, huh? You sure must feel safe, then. Good for you! It's a nice
feeling when you have it.
Stephen
