North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: NSA's recommendation for classfull routing (was Re: IP address fee??)
- From: Ryan Mooney
- Date: Fri Sep 06 20:36:54 2002
> Not that it will more people the trouble of sending me more messages, but
> yes I'm aware the NSA guide states:
> "The goal for this guide is a simple one: improve the security provided
> by routers on US Department of Defense (DoD) operational networks."
> Inside the DoD, they may want to only use classful routing. The
> recommendation may be valid for that environment.
Highly unlikely. From what experience I have w/ DOD networks a lot of them
tend to be early large allocations (whole class B's or even a class A or two)
that have since been subnetted - a lot. If you peruse the allocation lists
as far as who has what I believe that you'll that there are a lot of large
classfull delegations to DOD networks, and not near as many "class C" blocks.
Turning off ip classless in any of the enviroments I've seen would be nothing
short of catastrophic.
OTOH having lived through several so called security audits, I can certainly
believe that this would be on one of the checklists.
Note: I've intentionally used classful notation, not because I'm an idiot
(although I'm always open to that possibility :), but because it represents
the historical aspects of these allocations.
> Unfortunately, some security firms and organizations have taken the NSA
> guide as a rulebook. I've seen a lot of security checklists copied
> directly from the NSA Router Security and Configuration Guide. Even worse,
> I've seen very expensive security vulnerability reports recommending
> clients change their routers based on the NSA guide, such as turning off
> ip classless.
> If you are building a network in the outside of the DoD some of the NSA
> recommendations should *NOT* be followed.
Ryan Mooney firstname.lastname@example.org