North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: RFC1918 addresses to permit in for VPN?
> I am a little lost as to what the real argument is..... > > Don't use RFC1918 addresses on public networks. This is bad. > Don't use RFC1918 addresses on as a security measure. > > I don't use RF1918 address on public networks, but I do use them on my > backend systems and at some level I consider it a security measure. Those > backend machines don't have access to the Internet and the private > addressing helps ensure that is true. Is my thinking flawed? Only that private addressing helps ensure that your machines don't have access to the Internet. If you've set up a network where there is truly no packet path to the Internet such that it wouldn't matter if your back-end network was numbered in RFC1918 space or not, then it becomes unlikely that the network in question will be compromised *by an attacker arriving via the Internet*, and your security does not depend on RFC1918 addressing. You will have someone walking up to a switch and plugging in to consider (but that's more a facility security issue). RFC1918 gives you a place to number hosts without conflicting with "public" address space, that's all. If you use RFC1918 addressing on connected hosts, and distribute RFC1918 prefixes in your IGP, then connecting to any part of that network's internals gives to access to its RFC1918 space. There are any number of ways this could be accomplished - attacking facility security, exploiting a poorly-secured dialup, etc. Security, in general, is about *feeling* safe, not about being safe. Some folks get a feeling of safety from RFC1918 addressing, some don't. Stephen
|