Edge ACL tend to be wrong after a while (too much operation involved etc...)
This is just another way to shield the infrastructure. Often within a network non-LLA's are used for traffic path visibility, or for trace-routes. Passive addresses will in that case reduce the attack vector as they are useless as a destination address, because the recipient target box will drop any packet received where this address is used as destination address. It does not mean that you should not use perimeter ACL or FW's at all. That is still good practice. G/ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dobbins, Roland Sent: 07 October 2012 12:27 To: opsec wg mailing list Cc: v6ops v6ops WG ([email protected]) Subject: Re: [OPSEC] Passive IP addresses - 2th iteration On Oct 7, 2012, at 4:29 PM, Gunter Van de Velde (gvandeve) wrote: > A) If the recipient device receives an IP packet with this passive address in > the destination address and is destined for this device, then the packet will > be dropped. What's the advantage to this over ACLs? It seems just another way to fragment (pardon the pun, heh) network access policy even further than it already is. ----------------------------------------------------------------------- Roland Dobbins <[email protected]> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
