nanog mailing list archives
RE: RFC1918 addresses to permit in for VPN?
From: "Richard A. Steenbergen" <ras () e-gerbil net>
Date: Sun, 31 Dec 2000 18:03:53 -0500 (EST)
On Sun, Dec 31, 2000 at 02:14:54PM -0800, Bill Woodcock wrote:
> Don't use RFC1918 addresses on as a security measure. That's the clue people are trying to convey here, yes. RFC1918 just names a block of IP addresses. IP addresses are just integers. No magic differentiates one from the next. i.e. there's no inherent difference, security or otherwise, between 9.255.255.255 and 10.0.0.0. They're just adjacent integers in a continuous range.
Lets not get carried away. The difference we care about is, one address is announced and routed from the global internet, and one address is only used locally. This could just as easily be your real IP space which you're not announcing (note: this may actually be more useful then rfc1918 space for some things, like numbering your router interconnects out of such a block to prevent DoS without breaking icmp messages generated from them). Using unrouted IPs can be a very key part of a security policy, and if you want those IPs can be 1918 space. HOWEVER, it must be noted with lots of red flags and buzzers that this is NOT a complete security policy. For example if there is any way for an attacker to get on your local network, globally unrouted IPs won't help you. Also, if you're using NAT hosts can still be subverted in their external connections (perhaps something on your network is using MS Outlook for example). The key thing about this discussion is that it should be common sense. There is nothing "evil" with using globally unrouted IPs as part of your security, just as there is nothing "smart" about relying on it and thinking you're secure. Lets not make the same grossly oversimplified and underclued statements against 1918 addresses as some people would use in favor of them. -- Richard A Steenbergen <ras () e-gerbil net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6
Current thread:
- Re: RFC1918 addresses to permit in for VPN?, (continued)
- Re: RFC1918 addresses to permit in for VPN? Andrew Brown (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Jason Lewis (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Stephen Stuart (Dec 31)
- RE: RFC1918 addresses to permit in for VPN? Bill Woodcock (Dec 31)
- Re: RFC1918 addresses to permit in for VPN? Danny McPherson (Dec 29)
- RE: RFC1918 addresses to permit in for VPN? John Fraizer (Dec 29)
- Re: RFC1918 addresses to permit in for VPN? Adam Rothschild (Dec 30)
- Re: RFC1918 addresses to permit in for VPN? Steve Sobol (Dec 30)
- Re: RFC1918 addresses to permit in for VPN? Adam Rothschild (Dec 30)
- Re: RFC1918 addresses to permit in for VPN? Richard A. Steenbergen (Dec 30)
- RE: RFC1918 addresses to permit in for VPN? Richard A. Steenbergen (Dec 31)