nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RFC1918 addresses to permit in for VPN?

From: Stephen Stuart <stuart () mfnx net>
Date: Mon, 01 Jan 2001 02:37:48 -0800


Using RFC1918 space also gets you an IP range where the outside world has
no route to it -- Sorry, but no packets are not getting there, ergo no way
to hack.

Assuming various things that should be standard procedure -- dynamic NAT
as opposed to static, blocking source routing, etc.


Blocking source routing should not be standard procedure; as I stated
earlier, source routing is much more valuable to me as a debugging
tool than RFC1918 addressing is as a "security" tool.


At that point, just by use of simple routing, you've effectively
eliminated 100% of attacks from the outside, and you only have to worry
about inside.  The front door is secure, now work on the back door.


100%, huh? You sure must feel safe, then. Good for you! It's a nice
feeling when you have it.

Stephen
Previous By Date Next
Previous By Thread Next

Current thread: