[33202] in North American Network Operators' Group
Re: RFC1918 addresses to permit in for VPN?
daemon@ATHENA.MIT.EDU (Stephen Griffin)
Tue Jan 2 23:53:30 2001
Message-Id: <200101030451.XAA08124@elektra.ultra.net>
In-Reply-To: <NEBBLOMNADAAGMHJKLDCCEDFCHAA.djr@eng.bellsouth.net> from "Deron J. Ringen" at "Jan 2, 2001 01:49:46 pm"
To: djr@eng.bellsouth.net (Deron J. Ringen)
Date: Tue, 2 Jan 2001 23:51:33 -0500 (EST)
From: Stephen Griffin <stephen.griffin@rcn.com>
Cc: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
In the referenced message, Deron J. Ringen said:
> > Using RFC1918 space also gets you an IP range where the outside world has
> > no route to it -- Sorry, but no packets are not getting there, ergo no way
> > to hack.
> .
> .
> > At that point, just by use of simple routing, you've effectively
> > eliminated 100% of attacks from the outside, and you only have to worry
> > about inside. The front door is secure, now work on the back door.
> >
> I know that this thread as escalated unrestrained, however this is the
> original point that I attempted to make.
>
> ...djr...
LSR not withstanding, anyone directly connected to you can devise
their own routing via static routes. Anyone on your own network
doesn't need to (assuming their defaulted.) rfc1918 is merely an illusion.
If you're taking care of the "inside", you've already added the security
which rfc1918 isn't providing. This is the point that I believe many others
are trying to make. Security through obscurity is no security at all.
Stephen
