7. Security Considerations
The use of private address space has the following security implications:
7.1 Network Obscurity
Private addresses are not routed on the public Internet, providing a degree of "security through obscurity". The internal network topology is invisible to external attackers, which may increase the difficulty of attacks. However, this should not be considered a primary security mechanism, as "obscurity" itself is not true security.
7.2 Address Spoofing
Border routers must be configured to filter out packets from the outside claiming to originate from private address space, as these are obviously forged. Similarly, packets originating from the internal network with destination addresses in the private address space range attempting to route externally should be filtered.
7.3 Firewall Configuration
Enterprises using private address space should consider the following factors in their security architecture:
- Firewall rules should explicitly handle private address space
- NAT devices should be considered part of the security perimeter
- Appropriate logging and monitoring should be implemented
7.4 DNS Security
If not properly configured, private addresses may leak into public DNS, leading to:
- Information disclosure
- Potential DNS cache poisoning attacks
- Configuration errors and connectivity issues
Therefore, DNS configuration must be carefully managed to prevent leakage of private address information.
7.5 Internal Threats
Private address space does not provide protection against internal threats. Enterprises still need to implement appropriate internal security controls, such as Access Control Lists (ACLs), authentication, and authorization mechanisms.