Arguing against using public IP space

Mark Andrews marka at isc.org
Tue Nov 15 21:07:19 CST 2011


In message <CAP-guGXXM_Dci6QrzR2AQmFOnKh0AFs2XdVVY-H-MPDXcRrLBw at mail.gmail.com>
, William Herrin writes:
> On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka at isc.org> wrote:
> > Given that most NATs only use a small set of address on the inside
> > it is actually feasible to probe through a NAT using LSR.
> > Most attacks don't do this as there are lots of lower hanging fruit
> 
> Mark,
> 
> My car can be slim-jimmed. Yet the lock is sufficiently operative in
> the security process that the two times the vehicle has been broken in
> to the vagrant put a rock through the window instead of jimmying the
> lock.
> 
> That's what it MEANS when you say that there's lower hanging fruit to
> be found elsewhere. It means that the feature you're describing is
> operative in the process of obstructing an attacker.
> 
> As an aside to the debate, I boldly suggest that any firewall vendor
> which actually implements LSR or any of the IP source route
> functionality anywhere in their code deserves to be tarred and
> feathered. The security implications of source routing have been long
> understood. Code which implements source routing has no business
> existing in a commercial firewall product where it could accidentally
> be called. Please, by all means, take this opportunity to out any such
> errors which you can document.

Indeed.

A NAT mangles packets.  A firewall provides protection.  You can
combine the two but expecting one to do the job of the other is
just wrong and doesn't work.

> Regards,
> Bill Herrin
> 
> 
> --=20
> William D. Herrin ................ herrin at dirtside.com=A0 bill at herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list