This "RFC1918 for control plane/management plane" technique is vulnerable to a TCP reflection attack. The miscreants know about it. So the assumption that the chance of a RFC 1918 packet reaching your router being "zero" is not something an you should assume.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Iljitsch van Beijnum > Sent: Friday, June 23, 2006 4:18 PM > To: Owen DeLong > Cc: NANOG list > Subject: Re: key change for TCP-MD5 > > > On 24-jun-2006, at 0:43, Owen DeLong wrote: > > > Why couldn't the network device do an AH check in hardware before > > passing the packet to the receive path? If you can get to a point > > where all connections or traffic TO the router should be AH, then, > > that will help with DOS. > > If you care that much, why don't you just add an extra > loopback address, give it an RFC 1918 address, have your peer > talk BGP towards that address and filter all packets towards > the actual interface address of the router? > > The chance of an attacker sending an RFC 1918 packet that > ends up at your router is close to zero and even though the > interface address still shows up in traceroutes etc it is > bullet proof because of the filters. > > (This works even better with IPv6 link local addresses, those > are guaranteed to be unroutable.) >