This "RFC1918 for control plane/management plane" technique is vulnerable to a TCP reflection attack. The miscreants know about it. So the assumption that the chance of a RFC 1918 packet reaching your router being "zero" is not something an you should assume.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Iljitsch van Beijnum Sent: Friday, June 23, 2006 4:18 PM To: Owen DeLong Cc: NANOG list Subject: Re: key change for TCP-MD5
On 24-jun-2006, at 0:43, Owen DeLong wrote:
Why couldn't the network device do an AH check in hardware before passing the packet to the receive path? If you can get to a point where all connections or traffic TO the router should be AH, then, that will help with DOS.
If you care that much, why don't you just add an extra loopback address, give it an RFC 1918 address, have your peer talk BGP towards that address and filter all packets towards the actual interface address of the router?
The chance of an attacker sending an RFC 1918 packet that ends up at your router is close to zero and even though the interface address still shows up in traceroutes etc it is bullet proof because of the filters.
(This works even better with IPv6 link local addresses, those are guaranteed to be unroutable.)