[security-sig] On blindly recommending RFC 1918 addresses (was: Openstack cannot access to the Internet)
Jeremy Stanley
fungi at yuggoth.org
Thu Feb 11 19:11:00 UTC 2021
On 2021-02-11 18:45:48 +0100 (+0100), Thomas Goirand wrote:
[...]
> You should *not* expose your compute machines to the internet (and
> probably not your controller either, except the API). You should set
> them up with a private network address (192.168.x.x or 10.x.x.x for
> example). Only your VMs should have access to internet. I would strongly
> recommend revisiting your network setup.
[...]
I'm not trying to be pedantic, but just because something has an RFC
1918 address doesn't mean it's not also exposed to the Internet (for
example via a port forward, or 1:1 NAT, or through a proxy, or an
interface alias, or another interface, or another address family
like inet6, or...). Conversely, using globally routable addresses
doesn't mean those systems are necessarily exposed to the Internet
either (they could be secured behind this new-fangled contraption
called a "network firewall" which is a far more thorough means of
policy enforcement than merely hopes and wishes that certain
addresses won't be reachable thanks to loosely obeyed routing
conventions).
While not wasting global IPv4 addresses on systems which don't need
to be generally reachable is probably a sensible idea from the
perspective of v4 address exhaustion/conservation, it's dangerous to
assume or suggest that something is secure from remote tampering
just because it happens to have an RFC 1918 address on it.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210211/9a0a93b8/attachment.sig>
More information about the openstack-discuss
mailing list