Randy Bush wrote: > > The fact that your prefix is a Secret Sauce that isn't known to the > > rest of the world won't matter much to an attacker. One 'ifconfig' on > > whatever beachhead machine the attacker has inside your net, and it's > > not Secret Sauce anymore, it's just another bottle of Thousand Island > > dressing... > > security through obsurity is such tempting koolaid. people fall for it > continually and repeatedly.
Some people have different Layer 8-9 requirements than others. I am not saying they are 'right', just that 'easier' is a relative term based on what part of the problem is generating the most heat at the moment. > > i especially like the one where filtering ula at your border is thought to be any > different than filtering a bit of global at your border. There is no difference in the local filtering function, but *IF* all transit providers put FC00::/7 in bogon space and filter it at every border, there is a clear benefit when someone fat-fingers the config script and announces what should be a locally filtered prefix (don't we routinely see unintended announcements in the global BGP table). I realize that is a big IF, but bogon filtering happens fairly consistently in IPv4, so there is no reason to believe it will be less so in IPv6. Tony
