nanog mailing list archives
Re: Arguing against using public IP space
From: William Herrin <bill () herrin us>
Date: Sun, 13 Nov 2011 15:13:37 -0500
On Sun, Nov 13, 2011 at 11:38 AM, Robert Bonomi <bonomi () mail r-bonomi com> wrote:
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis () packetnexus com> wrote;http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.htmlAny article that claims a /12 is a 'class B', and a /16 is a 'Class C', is DEFINITELY 'flawed'.
Hi Robert, Give the chart a second look. 192.168.0.0/16 (one of the three RFC1918 spaces) is, in fact, a /16 of IPv4 address space and it is, in fact, found in the old "class C" range. Ditto 172.16.0.0/12. If there's a nitpick, the author should have labeled the column something like "classful area" instead of "classful description." On Sun, Nov 13, 2011 at 10:36 AM, Jason Lewis <jlewis () packetnexus com> wrote:
I've always looked at private IP space as more of a resource and management choice and not a security feature.
Hi Jason, If your machine is addressed with a globally routable IP, a trivial failure of your security apparatus leaves your machine addressable from any other host in the entire world which wishes to send it packets. In the parlance, it tends to "fail open." Machines using RFC1918 or RFC4193 space often have the opposite property: a failure of the security apparatus is prone to leave them unable to interact with the rest of the world at all. They tend to "fail closed." Think of this way: Your firewall is a deadbolt and RFC1918 is the lock on the doorknob. The knob lock doesn't stop anyone from entering an unlatched window, opening the door from the inside and walking out with all your stuff. Yet when you forget to throw the deadbolt, it does stop an intruder from simply turning the knob and wandering in. Regards, Bill Herrin -- William D. Herrin ................ herrin () dirtside comĀ bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Current thread:
- Arguing against using public IP space Jason Lewis (Nov 13)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space David Walker (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space Jimmy Hess (Nov 13)
- Re: Arguing against using public IP space William Herrin (Nov 13)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- Re: Arguing against using public IP space Doug Barton (Nov 13)
- RE: Arguing against using public IP space Chuck Church (Nov 13)
- Re: Arguing against using public IP space Phil Regnauld (Nov 13)
- RE: Arguing against using public IP space Chuck Church (Nov 13)
- RE: Arguing against using public IP space McCall, Gabriel (Nov 14)
- Re: Arguing against using public IP space William Herrin (Nov 14)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Leigh Porter (Nov 15)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 15)
- Re: Arguing against using public IP space Robert Bonomi (Nov 13)