Arguing against using public IP space
jay at west.net
Sun Nov 13 19:39:03 CST 2011
On 11/13/11 3:58 PM, Jason Lewis wrote:
> People keep pointing to this as unlikely. I argue that spammers are
> currently doing this all over the world, maybe not as widespread wiith
> 1918 space. If I can announce 1918 space to an ISP where my target
> is...it doesn't matter if everyone else ignores or drops it. The ISP
> allowed it, so all their customers will route the traffic. I still
> think it's a valid attack vector, discounting it because people would
> laugh at me, seems like a poor security posture.
It would be your target announcing the RFC1918 space, so the security
risk would be if his ISP, your ISP and all of the intermediate
peering/transit links were to honor those announcements and route the
traffic to the target. Possible, and it has probably happened at some
point, but not likely. The closer your logically to your target the
more likely such an attack would succeed.
I certainly don't recommend announcing RFC1918 space to the public
Internet. Doing so is a bad thing. If you do so there is indeed a
non-zero chance that someone close enough to you could connect to your
network and do damage.
Announcing RFC1918 space is less likely to route very far than
announcing public space that isn't allocated to you, however. That's
what the spammers all over the world are doing.
In terms of security, most every SCADA system, as others have pointed
out, should not be connected to the public Internet AT ALL. In this
case it really doesn't matter what addressing scheme is used. Use
Novell IPX or Appletalk if you want. Or MODBUS.
If, however, it is using IPv4, RFC1918 space in a different subnet than
anything used internally within the organization is a better choice than
any public space or subnets of RFC1918 space in use within the
organization. This offers a degree of protection against mis-cabling
and other accidental or malicious vectors that could allow other
networks to communicate with the SCADA network.
It would probably be best if the SCADA hardware vendors were to ship
their gear with no IP addresses pre-programmed at all, as well as
preventing them from being configured until any default passwords are
changed. Similarly, they should educate their installation contractors
about such things.
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the NANOG