Margaret, > Margaret Wasserman wrote: > Let me turn the question around... You have posited > that the use of site-local address is somehow more > "secure" than using a private global address range > that is filtered in the router. Why? What attacks > would work in the latter case that wouldn't work in > the former case?
I consider more secure if there is one more box to hack in order to compromise the network. Example: A host has been compromised by installing a piece of software that reads records from a database and "tunnels" the data out by embedding it in dummy http requests sent to a special http server. No firewall that I know of will catch this, so you prevent that host form accessing the outside by configuring an access-list somewhere denying http access to the outside. a) the host has a PA address: remove that access-list, and your little Trojan is ready to dump all the data out. b) the host has a site-local address: Now you need something else, another tunnel. You still need the Trojan to "tunnel" the database information into http requests, but now you also need something like a GRE or IPIP tunnel to tunnel the site-local addresses into PA. Every security architect that's worth its weigh in dung will design the network in such a way that the router that would be a good candidate to configure a tunnel (most likely the SBR) on is not the same that the one that holds the access-list, they are not administered by the same personnel who have been explicitly promised court martial and jail if they ever leak a password to a colleague. One more device to hack, more work for the hacker, more secure. Not to mention that in many cases the edge device is a Cisco, which means for most mortal hackers that their choice in tunnel types is limited by what is available in IOS, which in turn means that it will be doable to block these tunnels in the upstream firewall, which in turns means that the firewall itself will have to be hacked as well. Yet another device to hack, even more work for the hacker, even more secure. Another reason why site-local addresses are more secure: The hacking requires more skill than removing an access-list. Remember, hacking is mostly done from the inside. There is nothing the security engineer can do to prevent a spy to be hired as a network engineer, that's why there are security clearances. However, there is something that the security engineer can do, is to make the job of the janitor-turned-spy impossible by requiring a level of skill that he does not have. It's one thing to get someone to memorize a command to type when nobody looks, it's another thing to get someone to configure a router. Conclusion: If configured properly, a network that implements site-locals is more work for the hacker, and also requires a level of hacking skill that is above acquiring the password of a router and typing "no ip access-group xyz". Margaret, we have been having this kind of discussion since 1993 when RFC 1597 was being written. Also, read please read Tim Hartrick and Richard Draves' excellent (as always) posts. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
