7. Security Considerations
The use of private address space has the following security implications:
7.1 Network Obscurity
Private addresses are not routed on the public Internet, which provides a degree of "security through obscurity". Internal network topology is not visible to external attackers, which may increase the difficulty of attacks. However, this should not be considered a primary security mechanism, as "obscurity" itself is not true security.
7.2 Address Spoofing
Border routers must be configured to filter out packets from the outside claiming to be from private address space, as these are clearly forged. Similarly, packets originating from the internal network with destination addresses within the private address space range attempting to route externally should be filtered.
7.3 Firewall Configuration
Enterprises using private address space should consider the following factors in their security architecture:
- Firewall rules should explicitly handle private address space
- NAT devices should be considered part of the security perimeter
- Appropriate logging and monitoring should be implemented
7.4 DNS Security
If not properly configured, private addresses may leak into public DNS, resulting in:
- Information disclosure
- Potential DNS cache poisoning attacks
- Misconfiguration and connectivity issues
Therefore, DNS configuration must be carefully managed to prevent private address information leakage.
7.5 Internal Threats
Private address space does not provide protection against internal threats. Enterprises still need to implement appropriate internal security controls, such as Access Control Lists (ACLs), authentication, and authorization mechanisms.