RE: RFC1918 addresses to permit in for VPN?
On Sun, Dec 31, 2000 at 02:14:54PM -0800, Bill Woodcock wrote:
> Don't use RFC1918 addresses on as a security measure.
That's the clue people are trying to convey here, yes. RFC1918 just names a block of IP addresses. IP addresses are just integers. No magic differentiates one from the next. i.e. there's no inherent difference, security or otherwise, between 9.255.255.255 and 10.0.0.0. They're just adjacent integers in a continuous range.
Lets not get carried away. The difference we care about is, one address is announced and routed from the global internet, and one address is only used locally. This could just as easily be your real IP space which you're not announcing (note: this may actually be more useful then rfc1918 space for some things, like numbering your router interconnects out of such a block to prevent DoS without breaking icmp messages generated from them). Using unrouted IPs can be a very key part of a security policy, and if you want those IPs can be 1918 space. HOWEVER, it must be noted with lots of red flags and buzzers that this is NOT a complete security policy. For example if there is any way for an attacker to get on your local network, globally unrouted IPs won't help you. Also, if you're using NAT hosts can still be subverted in their external connections (perhaps something on your network is using MS Outlook for example). The key thing about this discussion is that it should be common sense. There is nothing "evil" with using globally unrouted IPs as part of your security, just as there is nothing "smart" about relying on it and thinking you're secure. Lets not make the same grossly oversimplified and underclued statements against 1918 addresses as some people would use in favor of them. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/humble PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6
participants (1)
-
Richard A. Steenbergen