On Sun, Nov 13, 2011 at 10:38 AM, Robert Bonomi <bonomi@mail.r-bonomi.com> wrote:
On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis@packetnexus.com> wrote; In addition, virtually _every_ ASN operator has ingress filters on their border routers to block almost all traffic to RFC-1918 destinations.
Well, when we are talking about selection of IP addresses as a supposed security feature... the view that "your ASN operator probably has ingress filters" is an optimistic one. The relevant question if you expect "private IP" to be a security feature is: "Can you legitimately rely on your ASN operator having ingress filters on border routers to block your RFC1918 destinations from remote access" ? And the proper answer is NO, you cannot rely on that; if your network design relies on this assumption, then it is not secure. If your router is compromised, an intruder can announce your private RFC1918 IP address space through a tunnel. If an intruder is a conspirator with one of your peer networks, they can conspire with your peer to allow an RFC1918 announcement from your network. Or create a static route for a RFC1918 subnet on your network. In other words, your use of RFC1918 address space alone does not create security. Your RFC1918 network actually _does_ need isolation separate and apart from the address space, for you to have reliable security, you still need a firewall, proxy, or NAT device of some form, with the private network isolated from the public one, even when using private IPs. -- -JH