On 12/3/13, 10:54 AM, Ronald Bonica wrote: > Folks, > > Reading through Sections 2.2 and 2.3 of this document, I question > whether the benefits of numbering router interfaces from link-local > address space actually outweigh the cost. The document lists the > following as benefits: > > 1) Smaller routing tables 2) Simpler address management 3) Lower > configuration complexity 4) Simpler DNS 5) Reduced attack surface > > IMHO, advantages 1, 2 and 3 are dubious. In this draft, we consider > numbering router-to-router interfaces from link-local space. In a > large network, the number of router-to-router interfaces is dwarfed > by the total number of interfaces. So, numbering router-to-router > interfaces reduces the magnitude of some problems, but not by a > significant amount. > > Advantage #5 also is dubious. If you think of an address as being > "the attack surface" of a router, then numbering selected interfaces > from link-local reduces the attack surface. But miscreants don't > attack addresses. They attack the resource that an address > represents. Since all of those resources are accessible using the > box's globally routable loopback address, numbering some interfaces > from link-local really doesn't reduce the attack surface. > > I realize that this may not be the kind of review that you want. So, > I am happy to be told that mine is the minority opinion.
I'm generally concerned when the question of whether we should put our stamp on something that we don't consider to be a good idea. As I noted for the 88 minutes I feel a bit more sanguine about this if it looks more like a case study, e.g. we "did it because of foo, this is what we did." personally I feel that this is a bad idea in general there may be specific cases where it is appropriate. > -------------------------- Ron Bonica vcard: > www.bonica.org/ron/ronbonica.vcf > > > > _______________________________________________ OPSEC mailing list > OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
