[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    RE: [fw-wiz] ip classless?
From:       Michael <topo2 () pacbell ! net>
Date:       2003-04-26 5:16:57
[Download RAW message or body]

For one, ip classless (referring to CIDR) allows you to have access
lists that are not based on classfull (i.e., A, B, and C) subnets (more
preciseness).  It also allows for more flexibility and specificity in
allocating (subnetting) your address space.  Not sure if that
helps...... 

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Behm,
Jeffrey L.
Sent: Friday, April 25, 2003 8:11 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] ip classless?

I'm wondering, and perhaps this isn't the right forum, but...what are
the
*security* implications of changing "no ip classless" to "ip classless"
in a
Cisco Router IOS. The router is the perimeter router, between the DMZ
and
the Internet.

I found http://www.networkking.net/out/IPClassless.php (a humorous, but
informative read, thanks Bernard) which, to me, says, if you break a
class
into pieces, you have to tell the router about every single piece of the
class, otherwise the router will simply drop packets to destinations (in
that class) you haven't told the router about. However, the article in
the
above URL deals with RIP, whereas my case only deals with static
routing.

So, to extrapolate that out to just static routing, do the same rules
apply?
We are arguing that rather than having to specify how to route all the
specific destinations in that class (some inside, but most out to the
Internet), that one could just specify static routes (to those
destinations
we know are on inside) to the inside interface, and enable "ip
classless"
and let it direct the "other stuff" to the default route, i.e. out to
the
Internet.

We feel more comfortable simply using multiple static routes to get that
class routed correctly, so this question is mostly academic at this
point. I
guess the underlying problem we have is that just because we don't fully
understand "ip classless" we feel *more* secure using static routes. The
question is, do they accomplish exactly the same thing, or should we be
paranoid regarding the "ip classless?" Could someone bounce packets
off/through the router by having ip classless enabled, whereas they
couldn't
if it was disabled?

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic