Arguing against using public IP space

[mysidia at gmail.com (Jimmy Hess)]

On Sun, Nov 13, 2011 at 10:38 AM, Robert Bonomi
<bonomi at mail.r-bonomi.com> wrote:
> On Sun, 13 Nov 2011 10:36:43 -0500, Jason Lewis <jlewis at packetnexus.com> wrote;
> In addition, virtually _every_ ASN operator has ingress filters on their
> border routers to block almost all traffic to RFC-1918 destinations.

Well, when we are talking about selection of IP addresses as a
supposed security feature...
the view that "your ASN operator probably has ingress filters"  is an
optimistic one.
The relevant question if you expect "private IP" to be a security
feature is:  "Can you legitimately rely on your ASN operator having
ingress filters on border routers to block your RFC1918 destinations
from remote access" ?

And the proper answer is NO,  you cannot rely on that;  if your
network design relies on this assumption, then it is not secure.  If
your router is compromised,  an intruder can announce your private
RFC1918 IP address space through a tunnel.

If an intruder is a conspirator with one of your peer networks,  they
can conspire with your peer to allow an RFC1918 announcement from your
network.

Or create a static route for a RFC1918 subnet on your network.

In other words, your use of RFC1918 address space alone does not
create security.   Your RFC1918 network actually _does_  need
isolation  separate and apart from the address space,  for you to have
reliable security,  you still need a firewall,  proxy, or NAT device
of some form,  with the private network isolated from the public one,
even when using private IPs.

--
-JH