Dynamic IP log retention = 0?

Joe Greco jgreco at ns.sol.net
Wed Mar 11 16:32:17 CDT 2009


> A quick scan of the reverse mapping for your address space in DNS reveals
> that you have basically your entire network on public addresses.  No wonder
> you're worried about portscans when the printer down the hall and the
> receptionists machine are sitting on public addresses.  I think you are
> trying to secure your network from the wrong end here.

Your idea of "security" is strange and unrealistic.

Putting all of your network behind NAT is not a guarantee of security.

IPv4 is slowly grinding to a close.  NAT has been an aid to reduce the
requirement for routable IP space at many sites, but it has never been
required to stick your entire network behind NAT.  Anyone capable of
justifying the IP space and acquiring it from an upstream ISP is able
to put all their IP-enabled gizmos, no matter even if it's just a bunch
of printers, scanners, UPS's, and other random IP-capable gear, on the
public Internet.  It should not be the operator community's job to be 
the arbiter of what devices are worthy of public IP space.

And take that and think about it, because IPv6 is coming.  This will
encourage the deployment of networks that connect every IP-capable
device in reach.  This implies many things.

It is clear that we've not done a real good job of designing IPv4
devices with sufficient layers of security to be able to stick random
devices on the Internet without a firewall and some contemplation of
rules, something I hope changes between now and IPv6 widespread
deployment.

The question shouldn't be about whether this gentleman is securing his
network from the wrong end.

In our neighbourhood, we don't have a high crime rate.  Despite that,
if we saw someone walking from house to house, trying doorknobs, we'd
call the cops.  The fact that everyone has locks on their doors does
not make it all right for someone to go around from house to house to
see if they're all locked.

In that same fashion, there's no particular reason to expect that the
gentleman who started this thread hasn't already provided some layers
of protection for his network.  Trying to address the attacker is a 
sane and reasonable next step.

We have some real and difficult questions to address in terms of how
much do we want to do in response to such complaints.  There are a lot
of potential impacts on operators for dealing with abuse complaints,
but we should be aware that this issue isn't going to go away, that
blaming the target site's security rather than the attacker is simply
wrong, that we're going to see even more devices attached under IPv6,
and that if we don't want legislative solutions handed to us to
implement, I would expect that it's a better idea to stop people from
doing things from your network that causes others to squawk (and
obviously I'm talking about Covad and the Covad-emitted traffic here).

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list