Arguing against using public IP space

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 15, 2011 at 8:20 PM, Mark Andrews <marka at isc.org> wrote:
> Given that most NATs only use a small set of address on the inside
> it is actually feasible to probe through a NAT using LSR.
> Most attacks don't do this as there are lots of lower hanging fruit

Mark,

My car can be slim-jimmed. Yet the lock is sufficiently operative in
the security process that the two times the vehicle has been broken in
to the vagrant put a rock through the window instead of jimmying the
lock.

That's what it MEANS when you say that there's lower hanging fruit to
be found elsewhere. It means that the feature you're describing is
operative in the process of obstructing an attacker.



As an aside to the debate, I boldly suggest that any firewall vendor
which actually implements LSR or any of the IP source route
functionality anywhere in their code deserves to be tarred and
feathered. The security implications of source routing have been long
understood. Code which implements source routing has no business
existing in a commercial firewall product where it could accidentally
be called. Please, by all means, take this opportunity to out any such
errors which you can document.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin at dirtside.com  bill at herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

• Previous message (by thread): Arguing against using public IP space
• Next message (by thread): Arguing against using public IP space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]