Brian E Carpenter wrote: > On 2009-04-08 08:01, james woodyatt wrote: > >> As I wrote to you privately, I'm not sure I see why they feel the need to >> use ULAs at all. > > Let me hazard a guess. They have great confidence that ULA prefixes will > never be accidentally advertised by ISPs, even if they are accidentally > leaked by careless site IT departments. Therefore, they are intrinsically > safer to use in intranet and extranet routing tables than any other form > of global scope prefix. This argument applies even if you don't entirely > trust the IT departments of your extranet partners.
Let me see if I understand you: - Enterprises might like to be able to exchange traffic between some set of hosts on their internal networks, and some set of external hosts. For this reason (among others) it's a good idea if the addresses used on the internal network have global scope. - Such enterprises will of course expect to filter traffic between those internal hosts, and non-approved external hosts, at their borders. However, such filters might be misconfigured without anyone realizing it. And it might also be the case that traffic leaks out via unapproved paths. - Given the above, using ULAs appears to provide some additional insurance against unauthorized traffic, because the enterprise networks trust the ISPs to not advertise ULAs. I can't fault the motivation. But if I understand things right, I have to wonder if the confidence that the enterprise network operators have in ISPs to not route their ULAs is misplaced, or needs calibration. It seems to be tantamount to saying "we don't trust ourselves to maintain accurate filters at our network borders, but we trust ISPs (including those with whom we have no relationship) to maintain accurate BGP filters." i.e. Things might well work the way the enterprise network operators want them to, most of the time, but they're depending on unpaid allies to provide security for them. A better strategy might be to have a solid procedure in place for maintaining and continuously testing those filters - as well as testing the devices that watch for unauthorized traffic. Of course, that strategy wouldn't preclude use of ULAs. But a decision to use ULAs needs to be made in light of its effect on applications, and I have to wonder how much analysis is being done there by the network operators. (granted, it's not easy to do.) > > Note, the global scope property is important. It's the only reasonable > scope for an extranet. agreed. > I don't think you'll find this way of thinking easy to change, any more > than you will persuade physical site security people to leave some of > the doors unlocked on the weekend. Sure, but a better analogy might be one of physical site security people insisting on using red colored keys for internal doors, because they think that nobody will lose, give away, or copy a key that is red. Keith _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
