[arin-ppml] IPv6 Non-connected networks
cengel at sponsordirect.com
Mon Mar 22 18:34:21 EDT 2010
Owen Delong wrote:
# ULA-C isn't going to be blocks which don't work on the internet. It's
# going to be blocks which people expect not to work on the internet, but,
# really they do under some circumstances. End result, a false sense of security which is
# worse than no security.
# NAT != Security
# Address Obfuscation != Security
# Misconfiguration == Insecurity
# Belief otherwise merely increases risk.
I've got to take some issue with your above statements Owen. NAT and Address Obfuscation ARE security mechanisms (albiet not fool-proof ones, but I've yet to see a fool-proof mechanism). Most Enterprise Admins I know commonly regard them as such...MOST dedicated IT Security people I've talked to regard them as such. PCI reg's require them as such... and pretty much every security audit I've been through that involves a regulated industry (Financial, Health, etc) has included them as such.
You may think we're all pretty much brain-dead for thinking so....but there IS a pretty strong consensus there among people who actualy get paid specificaly for IT Security.
Realisticaly RFC 1918 space (the space people use with NAT in IPv4) tends to fail closed rather then open and that's the botom line. 99.99% of the worlds routers aren't going to have a route in thier routing tables for RFC1918 space that leads to my network. If you hit my external router with a RFC1918 address it's not going to know to send it to my firewall or internal network.... and if you hit my firewalls external interface with a request for an RFC 1918 address, it's going to tell you to get lost because it's got no entry in it's table for an address on that interface that corresponds to it.
Practicaly speaking.... using that space tends to DECREASE the damage done when a misconfiguration occurs... in my dictionary, we call something that does that a "Security Mechanism".
I will agree that ULA-C sounds like a bit of a different animal though, as it would be registered to a particular organization and therefore unique to it. Personaly, I would just end up using what you guys are terming ULA-Random for private space.... but I can see why an organization might want to grab space that is uniquely assigned to it but generaly recognized not to be routed. If you ARE looking for Private space.... you are better off going with something that is indicated it SHOULD NOT be routed (ULA-C).... even if that indication is ignored sometimes then going with something that provides no indication at all (GUA). Not addressing the other aspects of it...like fee's, etc.... just this one aspect.
Personaly, I would use split DNS anyways....don't really like the idea of advertising internal host names & IP's in a publicaly accessable zone somewhere....but that's just me.
More information about the ARIN-PPML