Arguing against using public IP space
Mark Andrews
marka at isc.org
Wed Nov 16 03:07:19 UTC 2011
In message <CAP-guGXXM_Dci6QrzR2AQmFOnKh0AFs2XdVVY-H-MPDXcRrLBw at mail.gmail.com>
, William Herrin writes:
> On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka at isc.org> wrote:
> > Given that most NATs only use a small set of address on the inside
> > it is actually feasible to probe through a NAT using LSR.
> > Most attacks don't do this as there are lots of lower hanging fruit
>
> Mark,
>
> My car can be slim-jimmed. Yet the lock is sufficiently operative in
> the security process that the two times the vehicle has been broken in
> to the vagrant put a rock through the window instead of jimmying the
> lock.
>
> That's what it MEANS when you say that there's lower hanging fruit to
> be found elsewhere. It means that the feature you're describing is
> operative in the process of obstructing an attacker.
>
> As an aside to the debate, I boldly suggest that any firewall vendor
> which actually implements LSR or any of the IP source route
> functionality anywhere in their code deserves to be tarred and
> feathered. The security implications of source routing have been long
> understood. Code which implements source routing has no business
> existing in a commercial firewall product where it could accidentally
> be called. Please, by all means, take this opportunity to out any such
> errors which you can document.
Indeed.
A NAT mangles packets. A firewall provides protection. You can
combine the two but expecting one to do the job of the other is
just wrong and doesn't work.
> Regards,
> Bill Herrin
>
>
> --=20
> William D. Herrin ................ herrin at dirtside.com=A0 bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list