[arin-ppml] ULA-C

Owen DeLong owen at delong.com
Mon Apr 12 02:30:23 EDT 2010 

On Apr 11, 2010, at 10:24 PM, George Bonser wrote:

> Can you tell me how RFC1918 space can be routed across the global
> internet?
> 
I didn't say it could be done without misconfiguration.  I said that it doesn't
protect you as much as you think in the case of misconfiguration.

> No transit provider in the world accepts those routes and assuming that
> such traffic would have to traverse at least three networks
> (originating, at least one transit and the destination), having all
> three misconfigured is quite unlikely.
> 
And yet, time and time again, they show up in the routing tables.

> But I have never seen a transit network that will pass RFC1918 traffic.

Look harder, it has definitely happened.

> Who would they send it to?  There must be a few hundred networks
> attempting to announce that space to them.
> 
Presumably the person who they accepted the advertisement from.
IOW, the person who has obviously misconfigured things in the way
you say it will protect you.

Owen

> 
> 
>> -----Original Message-----
>> From: Owen DeLong [mailto:owen at delong.com]
>> Sent: Sunday, April 11, 2010 10:18 PM
>> To: joel jaeggli
>> Cc: George Bonser; mcr at sandelman.ca; arin-ppml at arin.net
>> Subject: Re: [arin-ppml] ULA-C
>> 
>> Well said.  Even RFC-1918 space can be routed across the global
>> internet due to misconfiguration, so, I fail to see how that can
>> possibly provide the protection described.
>> 
>> Admittedly, the number of misconfigurations increases in inverse
>> proportion to topological proximity, but, nonetheless, lots of routing
>> tables see RFC-1918 space on the global internet due to
>> misconfiguration.
>> 
>> Why would ULA-C or any other "special" prefix be any different?
>> 
>> Owen
>> 
>> On Apr 11, 2010, at 7:14 PM, joel jaeggli wrote:
>> 
>>> Oddly, I work for mondo-megacorp and I find it interesting that
>> you're speaking for all entities that fit that category collectively.
>>> 
>>> From my vantage point ,the security posture associated with a
>> particular prefix, service or network internal to our administrative
>> domain is defined by requirements not by some intrinsic nature of the
>> prefix.
>>> 
>>> George Bonser <gbonser at seven.com> wrote:
>>> 
>>>> 
>>>> 
>>>>> -----Original Message-----
>>>>> From: joel jaeggli [mailto:joelja at bogus.com]
>>>>> Sent: Sunday, April 11, 2010 6:37 PM
>>>>> To: George Bonser; mcr at sandelman.ca
>>>>> Cc: arin-ppml at arin.net
>>>>> Subject: Re: [arin-ppml] ULA-C
>>>>> 
>>>>> Mondo-megacorp will trivially have enough gua space to address
> it's
>>>>> extranet and the cost of aquiring space is negible compared to
> cost
>> of
>>>>> deploying anything inside mondo-megacorp.
>>>>> 
>>>>> Joel
>>>>> 
>>>> 
>>>> Joel, you missed the point.  The do not want their financial
> backend
>> systems on globally routable address space.
>>>> 
>>>> They do not want it to even be POSSIBLE that by some kind of
>> misconfiguration, their systems could be reachable from the Internet.
>> So they put it in address space that is impossible to be reached
> across
>> the public Internet.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>> _______________________________________________
>>> PPML
>>> You are receiving this message because you are subscribed to
>>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>>> Unsubscribe or manage your mailing list subscription at:
>>> http://lists.arin.net/mailman/listinfo/arin-ppml
>>> Please contact info at arin.net if you experience any issues.

More information about the ARIN-PPML mailing list