North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Globally unique versus globally routable (was RE: RFC1918)

  • From: Sean Donelan
  • Date: Tue Jan 02 15:52:57 2001

> Using RFC1918 space also gets you an IP range where the outside world has
> no route to it -- Sorry, but no packets are not getting there, ergo no way
> to hack.
>
> At that point, just by use of simple routing, you've effectively
> eliminated 100% of attacks from the outside, and you only have to worry
> about inside.  The front door is secure, now work on the back door.

One of the things which has always annoyed me about this argument was
people making the assumption that routing of addresses and registration
of addresses was related.

You can have a globally unique address, registered with an address registry
(arin, ripe, apnic), which is not routed on the Internet.

You can have a "private" shared address, which is routed on the Internet.
People who can't figure out how to filter, also can't figure out how to
filter RFC1918 addresses.  So route leaks of RFC1918 space are common.

If your filters are properly configured, there is no difference in the
security of RFC1918 addresses or globally unique addresses.

What makes RFC1918 addresses "secure" isn't the addresses, but the route
filters.  If your filters aren't properly configured, there is no difference
in the security of globally unique addresses or RFC1918 addresses.

Personally, I prefer to always use globally unique addresses whether or
not they are announced on the Internet because they cause less problems
(security, operational, etc) problems when a route does leak.  The problem
with RFC1918 addresses, is if you an accidental route leak, you have a fairly
high probability of getting nailed by someone else using the same address.
Humans have an annoying habit of choosing the same "easy to remember" private
addresses.

If any security consultant tells you your computers are secure because they
are using RFC1918 addresses, I would suggest grabbing your wallet and running.
And, yes I've heard security consultants from the "Big 5" firms say exactly
that.

Note: I did not say either RFC1918 addresses or globally unique addresses
were secure, only that there is no difference in the level of security between
them.