nanog mailing list archives
RE: Update to BCP-38?
From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Fri, 04 Oct 2019 23:00:12 -0600
On Friday, 4 October, 2019 16:05, William Herrin <bill () herrin us> wrote:
On Thu, Oct 3, 2019 at 2:28 PM Keith Medcalf <kmedcalf () dessus com> wrote:
On Thursday, 3 October, 2019 11:50, Fred Baker <fredbaker.ietf () gmail com> wrote:
A security geek would be all over me - "too many clues!".
Anyone who says something like that is not a "security geek". They are a "security poser", interested primarily in "security by obscurity" and "security theatre", and have no clue what they are talking about.
It's called "operations security" or "OPSEC." The idea is that from lots of pieces of insignificant information, an adversary can derive or infer more important information you'd like to deny to him. There's a 5-step process used by the U.S. Military but the TL;DR version is: if you don't have to reveal something, don't.
You and I have completely different opinions of how security works. In my world, security must continue to be effective even in the face of an adversary that knows everything there is to know about what is being attacked (except for some authentication secrets, which of course need to be kept secret). If the attacker does not already have that information, then obtaining it is usually a rather trivial reconnaissance operation. The job of "securing" something means to make it impervious to outside influence -- it is the other side of the "safety" coin -- and Safety and Security go hand in hand. Security based on keeping something which is trivial to discover secret is trivial security and can still be trivially bypassed. It is telling that of the thousands of "ransomware attacks" that occur each second, only 617 have been successful so far this year. Those victims probably relied on keeping something secret that did not matter. In other words, they expended effort on the wrong things -- their analysis of risk was inherently flawed. Can you provide a scenario in which knowledge of the VLAN number is a vulnerability that can be exploited? And if you can find one, is there a more effective way to prevent that exploit that will work even if the attacker knows the VLAN number? Would it not be more effective to implement that measure than simply using trivial means (that are trivial to defeat) to hide the VLAN number? This does not mean that you need to publish the VLAN numbers on Facebook for all to see, merely that knowledge of that fact is now irrelevant, and that even if the someone posted the VLAN numbers on Facebook for all to see, then that would not be helpful to the adversary.
IMO, anyone who thinks the folks who developed OPSEC don't have a clue is the one I find wanting.
Opinions vary. That is the nature of opinion. -- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
Current thread:
- Re: Update to BCP-38?, (continued)
- Re: Update to BCP-38? Mark Andrews (Oct 04)
- Re: Update to BCP-38? Masataka Ohta (Oct 04)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 04)
- Re: Update to BCP-38? Jay R. Ashworth (Oct 05)
- Re: Update to BCP-38? Fred Baker (Oct 03)
- Re: Update to BCP-38? Stephen Satchell (Oct 03)
- Re: Update to BCP-38? Fred Baker (Oct 03)
- RE: Update to BCP-38? Keith Medcalf (Oct 03)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 03)
- Re: Update to BCP-38? William Herrin (Oct 04)
- RE: Update to BCP-38? Keith Medcalf (Oct 04)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 08)
- Re: Update to BCP-38? Rich Kulawiec (Oct 08)
- RE: Update to BCP-38? Mark Collins (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Mike Meredith via NANOG (Oct 09)
- Re: Update to BCP-38? William Herrin (Oct 08)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)
- Re: Update to BCP-38? Valdis Klētnieks (Oct 08)
- Re: Update to BCP-38? Mark Collins (Oct 10)
- RE: Update to BCP-38? Keith Medcalf (Oct 08)