North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: RFC1918 addresses to permit in for VPN?

  • From: Stephen Stuart
  • Date: Sun Dec 31 17:25:06 2000

> I am a little lost as to what the real argument is.....
> Don't use RFC1918 addresses on public networks.

This is bad.

> Don't use RFC1918 addresses on as a security measure.
> I don't use RF1918 address on public networks, but I do use them on my
> backend systems and at some level I consider it a security measure.  Those
> backend machines don't have access to the Internet and the private
> addressing helps ensure that is true.  Is my thinking flawed?

Only that private addressing helps ensure that your machines don't
have access to the Internet. If you've set up a network where there is
truly no packet path to the Internet such that it wouldn't matter if
your back-end network was numbered in RFC1918 space or not, then it
becomes unlikely that the network in question will be compromised *by
an attacker arriving via the Internet*, and your security does not
depend on RFC1918 addressing. You will have someone walking up to a
switch and plugging in to consider (but that's more a facility
security issue). RFC1918 gives you a place to number hosts without
conflicting with "public" address space, that's all.

If you use RFC1918 addressing on connected hosts, and distribute
RFC1918 prefixes in your IGP, then connecting to any part of that
network's internals gives to access to its RFC1918 space. There are
any number of ways this could be accomplished - attacking facility
security, exploiting a poorly-secured dialup, etc.

Security, in general, is about *feeling* safe, not about being
safe. Some folks get a feeling of safety from RFC1918 addressing,
some don't.