nanog mailing list archives
Re: Arguing against using public IP space
From: Jay Hennigan <jay () west net>
Date: Sun, 13 Nov 2011 17:39:03 -0800
On 11/13/11 3:58 PM, Jason Lewis wrote:
People keep pointing to this as unlikely. I argue that spammers are currently doing this all over the world, maybe not as widespread wiith 1918 space. If I can announce 1918 space to an ISP where my target is...it doesn't matter if everyone else ignores or drops it. The ISP allowed it, so all their customers will route the traffic. I still think it's a valid attack vector, discounting it because people would laugh at me, seems like a poor security posture.
It would be your target announcing the RFC1918 space, so the security risk would be if his ISP, your ISP and all of the intermediate peering/transit links were to honor those announcements and route the traffic to the target. Possible, and it has probably happened at some point, but not likely. The closer your logically to your target the more likely such an attack would succeed. I certainly don't recommend announcing RFC1918 space to the public Internet. Doing so is a bad thing. If you do so there is indeed a non-zero chance that someone close enough to you could connect to your network and do damage. Announcing RFC1918 space is less likely to route very far than announcing public space that isn't allocated to you, however. That's what the spammers all over the world are doing. In terms of security, most every SCADA system, as others have pointed out, should not be connected to the public Internet AT ALL. In this case it really doesn't matter what addressing scheme is used. Use Novell IPX or Appletalk if you want. Or MODBUS. If, however, it is using IPv4, RFC1918 space in a different subnet than anything used internally within the organization is a better choice than any public space or subnets of RFC1918 space in use within the organization. This offers a degree of protection against mis-cabling and other accidental or malicious vectors that could allow other networks to communicate with the SCADA network. It would probably be best if the SCADA hardware vendors were to ship their gear with no IP addresses pre-programmed at all, as well as preventing them from being configured until any default passwords are changed. Similarly, they should educate their installation contractors about such things. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Joe Greco (Nov 14)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 13)
- Re: Arguing against using public IP space David Walker (Nov 13)
- Re: Arguing against using public IP space Leigh Porter (Nov 13)
- Re: Arguing against using public IP space McCall, Gabriel (Nov 13)
- Re: Arguing against using public IP space Jay Hennigan (Nov 13)
- Re: Arguing against using public IP space Jason Lewis (Nov 13)
- Re: Arguing against using public IP space Owen DeLong (Nov 13)
- Re: Arguing against using public IP space Ray Soucy (Nov 14)
- Re: Arguing against using public IP space Michael Sinatra (Nov 15)
- Re: Arguing against using public IP space Jay Hennigan (Nov 13)
- Re: Arguing against using public IP space Eric C. Miller (Nov 16)