Arguing against using public IP space

Tue Nov 15 20:16:08 UTC 2011

On Nov 15, 2011, at 9:15 AM, William Herrin wrote:

> On Mon, Nov 14, 2011 at 7:35 PM, Jeroen van Aart <jeroen at mompl.net> wrote:
>> William Herrin wrote:
>>> If your machine is addressed with a globally routable IP, a trivial
>>> failure of your security apparatus leaves your machine addressable
>>> from any other host in the entire world which wishes to send it
>> 
>> Isn't that the case with IPv6? That the IP is addressable from any host in
>> the entire (IPv6) world? And isn't that considered a good thing?
> 
> Hi Jeroen,
> 
> Yes, according to almost every application developer asked it's a good thing.
> 
> Me? I'm not so sure. Historically, enterprises moved away from global
> addressability even when IP addresses were free, *before* address
> scarcity became an issue. There's a lesson in there somewhere and I'm
> not convinced it's that "they were dumb."

I'm not sure how you can make that case since RFC-1918 and it's predecessors
RFC-1597 and RFC-1627 came after address scarcity was already a known
problem. The oldest of these three (RFC 1597 is dated March, 1994. IPv6
development (spurred by the fact that IPv4 addresses were becoming
scarce) started in earnest somewhere between 1990-1992 depending on
who you ask).

If your initial assertion were true, then, there might be some sort of lesson
from your follow-on statement. In this case, however, since the assertion
is false, the follow-on lesson is likely just that some enterprises jumped
on the NAT bandwagon sooner than others in pursuit of certain coolness
or other convenience factors unrelated to delivering a good internet
experience to their end users.

Also, since the internet was such a radically different thing back then
as compared to what it is now, I'm not sure that any such lesson
would inherently be useful in the modern age.

> 
> 
>> I don't think that being addressable from anywhere is a security hole in and
>> of itself. It's how you implement and (mis)configure your firewall and
>> related things that is the (potential) security hole. Whether the IP is
>> world addressable or not
> 
> I agree. That your computer is globally addressable is NOT a security
> hole. It does not directly or indirectly make you vulnerable to
> attack. But the inverse doesn't follow.
> 
> That your computer is not globally addressable ADDS one layer of
> security in a process you hope has enough layers to prevent an attack
> from penetrating.
> 

This statement is absurd. I can have a globally unique address on a
system that does not have any external connectivity. The fact that the
address is global in scope does not in any way make that system any
less secure than a system which uses an address that is not globally
unique.

Addressability is not reachability. Addressability has nothing to do with
security. Reachability has a little bit to do with security, but, in any sane
modern implementation, not a lot.

> And make no mistake: successful security is about layers, about DEPTH.
> You can seek layers from other sources but a shallow security process
> will tend to be easily breached.
> 

This is the only thing you've said here that I can actually agree with.
Given the penalties associated with non-global addressing and
the rewards available from global addressing combined with the
absolutely minimal protection afforded by non-global addressing,
I find it hard to imagine a scenario in which the benefits would
ever outweigh the costs.

Owen