nanog mailing list archives
Re: Arguing against using public IP space
From: Mark Andrews <marka () isc org>
Date: Wed, 16 Nov 2011 14:07:19 +1100
In message <CAP-guGXXM_Dci6QrzR2AQmFOnKh0AFs2XdVVY-H-MPDXcRrLBw () mail gmail com> , William Herrin writes:
On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka () isc org> wrote:Given that most NATs only use a small set of address on the inside it is actually feasible to probe through a NAT using LSR. Most attacks don't do this as there are lots of lower hanging fruitMark, My car can be slim-jimmed. Yet the lock is sufficiently operative in the security process that the two times the vehicle has been broken in to the vagrant put a rock through the window instead of jimmying the lock. That's what it MEANS when you say that there's lower hanging fruit to be found elsewhere. It means that the feature you're describing is operative in the process of obstructing an attacker. As an aside to the debate, I boldly suggest that any firewall vendor which actually implements LSR or any of the IP source route functionality anywhere in their code deserves to be tarred and feathered. The security implications of source routing have been long understood. Code which implements source routing has no business existing in a commercial firewall product where it could accidentally be called. Please, by all means, take this opportunity to out any such errors which you can document.
Indeed. A NAT mangles packets. A firewall provides protection. You can combine the two but expecting one to do the job of the other is just wrong and doesn't work.
Regards, Bill Herrin --=20 William D. Herrin ................ herrin () dirtside com=A0 bill () herrin us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Karl Auer (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space Dave Hart (Nov 16)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space William Herrin (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Mark Andrews (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space -Hammer- (Nov 16)
- Re: Arguing against using public IP space Owen DeLong (Nov 16)
- Re: Arguing against using public IP space Ray Soucy (Nov 16)
- Re: Arguing against using public IP space -Hammer- (Nov 16)
- Re: Arguing against using public IP space Jay Ashworth (Nov 15)
- Re: Arguing against using public IP space Owen DeLong (Nov 15)
- Re: Arguing against using public IP space Ray Soucy (Nov 15)