[H-GEN] Network Nasties

Everist, Geoff everistg at switch.aust.com
Thu Mar 2 02:16:00 EST 2000 

[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

[snip]
> 
> IIRC this ISP (and probably others) offers VPNs which use 
> private addresses
> for both the payload and delivery protocols. In other words yes, the
> customers do have their own VPN with private addresses, but 
> this runs on top
> of the ISP's network which also uses private addresses 
> (possibly even the
> same ones, although this has been known to cause headaches). This is
> sometimes promoted as a security feature, in that you can be 
> (fairly) sure
> your packets will stay within your ISP's network and so, 
> assuming you trust
> your ISP, you don't need to worry about your traffic falling 
> into hands it
> shouldn't. On the down side it means the ISP forces you to 
> use them for your
> entire VPN, which is awkward to get around when your VPN 
> needs to extend
> overseas and their network doesn't (even though they are 
> supposedly part of
> a large international group....but I won't stray any further from the
> specific topic at hand for fear of tripping over this list's charter).
> 
> Ian
> 
[snip]

Ahh...that makes sense, thank you for your insight. It would be interesting
to see if it is possible to get a packet destined for my address but with a
spoofed source address in the private range delivered if sent from another
ISP (i.e. to test whether my ISP's border routers are rejecting private
source addresses coming in from the outside world). If they are, then the
only worry I would have (if I was not doing my own filtering in my firewall)
is from malicious hackers or compromised hosts within my ISP (ack!).

Just taking that a litte further, how is using a private address space more
secure? All it takes is one host on the network to be compromised, and the
whole internal network is opened up. There does not appear to be any access
restraints on the private address space; I have a bog standard permanent
modem account (I do not use the VPN services) and yet I can traceroute to
and receive packets from the VPN addresses.

Cheers
Geoff

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list