Arguing against using public IP space
William Herrin
bill at herrin.us
Tue Nov 15 17:15:06 UTC 2011
On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart <jeroen at mompl.net> wrote:
> William Herrin wrote:
>> If your machine is addressed with a globally routable IP, a trivial
>> failure of your security apparatus leaves your machine addressable
>> from any other host in the entire world which wishes to send it
>
> Isn't that the case with IPv6? That the IP is addressable from any host in
> the entire (IPv6) world? And isn't that considered a good thing?
Hi Jeroen,
Yes, according to almost every application developer asked it's a good thing.
Me? I'm not so sure. Historically, enterprises moved away from global
addressability even when IP addresses were free, *before* address
scarcity became an issue. There's a lesson in there somewhere and I'm
not convinced it's that "they were dumb."
> I don't think that being addressable from anywhere is a security hole in and
> of itself. It's how you implement and (mis)configure your firewall and
> related things that is the (potential) security hole. Whether the IP is
> world addressable or not
I agree. That your computer is globally addressable is NOT a security
hole. It does not directly or indirectly make you vulnerable to
attack. But the inverse doesn't follow.
That your computer is not globally addressable ADDS one layer of
security in a process you hope has enough layers to prevent an attack
from penetrating.
And make no mistake: successful security is about layers, about DEPTH.
You can seek layers from other sources but a shallow security process
will tend to be easily breached.
Regards,
Bill Herrin
--
William D. Herrin ................ herrin at dirtside.com bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
More information about the NANOG
mailing list