Not that it will more people the trouble of sending me more messages, but yes I'm aware the NSA guide states:
"The goal for this guide is a simple one: improve the security provided by routers on US Department of Defense (DoD) operational networks."
Inside the DoD, they may want to only use classful routing. The recommendation may be valid for that environment.
Highly unlikely. From what experience I have w/ DOD networks a lot of them tend to be early large allocations (whole class B's or even a class A or two) that have since been subnetted - a lot. If you peruse the allocation lists as far as who has what I believe that you'll that there are a lot of large classfull delegations to DOD networks, and not near as many "class C" blocks. Turning off ip classless in any of the enviroments I've seen would be nothing short of catastrophic. OTOH having lived through several so called security audits, I can certainly believe that this would be on one of the checklists. Note: I've intentionally used classful notation, not because I'm an idiot (although I'm always open to that possibility :), but because it represents the historical aspects of these allocations.
Unfortunately, some security firms and organizations have taken the NSA guide as a rulebook. I've seen a lot of security checklists copied directly from the NSA Router Security and Configuration Guide. Even worse, I've seen very expensive security vulnerability reports recommending clients change their routers based on the NSA guide, such as turning off ip classless.
If you are building a network in the outside of the DoD some of the NSA recommendations should *NOT* be followed.
--
-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney ryan@pcslink.com <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=->