Randy Bush wrote:
The fact that your prefix is a Secret Sauce that isn't known to the rest of the world won't matter much to an attacker. One 'ifconfig' on whatever beachhead machine the attacker has inside your net, and it's not Secret Sauce anymore, it's just another bottle of Thousand Island dressing...
security through obsurity is such tempting koolaid. people fall for it continually and repeatedly.
Some people have different Layer 8-9 requirements than others. I am not saying they are 'right', just that 'easier' is a relative term based on what part of the problem is generating the most heat at the moment.
i especially like the one where filtering ula at your border is thought to
be any
different than filtering a bit of global at your border.
There is no difference in the local filtering function, but *IF* all transit providers put FC00::/7 in bogon space and filter it at every border, there is a clear benefit when someone fat-fingers the config script and announces what should be a locally filtered prefix (don't we routinely see unintended announcements in the global BGP table). I realize that is a big IF, but bogon filtering happens fairly consistently in IPv4, so there is no reason to believe it will be less so in IPv6. Tony