Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Why is RFC1918 space in public DNS evil?

  • From: Jim Mercer
  • Date: Mon Sep 18 08:58:04 2006

On Mon, Sep 18, 2006 at 08:36:44AM -0400, Daniel Senie wrote:
> At 04:33 AM 9/18/2006, Jim Mercer wrote:
> >if the hosts inside the VPN can only be accessed by hostnames served up 
> >inside
> >the VPN, then it is more likely the users can be confident that their data
> >is actually traversing the VPN.
> >
> >it works, or it don't.
> 
> Or, the user's computer is still caching information. Internet 
> Explorer is does this, and other browsers may as well. I keep a link 
> to a script on my Windows desktop labelled "Flush DNS" and wind up 
> using it often. If the user is accessing sites across the VPN, and as 
> another poster writes the VPN drops, packets containing juicy, 
> private information could well leak out in places people didn't intend.
> 
> As risks go, this might not be too severe in many cases, but if you 
> were doing a security assessment for sarbox or hippa, would you 
> consider it safe? Do the remote sites indeed have filters blocking 
> traffic to/from RFC1918 space that don't traverse the VPN?

maybe ut some null routes on the PC's for the blocks, and have them overridden
when the VPN comes up.  could be done as part of the install of the VPN
software/config?


-- 
[ Jim Mercer        jim@reptiles.org        +971 50 436-3874 ]
[          I want to live forever, or die trying.            ]




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.