|
> Do you agree, and if so, do you know that this has ever happened in a residential setting? I agree, apart from the claim that the home network is necessarily in a private range. For one, it's not technically necessary, you can use NAT with globally unique and globally routable addresses on the "internal" side. Obviously, people rarely do that with IPv4, but those people who promote the idea that NAT is somehow a security mechanism also use that claim to promote the idea that either IPv6 is bad because it doesn't use NAT, or that you possibly should use NAT with IPv6 ... which is where these misconceptions lead to some pretty crazy results. > Or do you mean an adversary who is or who compromises the ISP, possibly by tapping into the coax/fiber/etc in the last mile or by pwning the related nodes? Well, those are obviously attack vectors, and certainly not ones you should ignore, given how often there are all kinds of vulnerabilities being found in network equipment, including but not limited to the regular hard-coded passwords in Cisco equipment. But, yes, there absolutely have even been publicly known cases of where this kind of access would have been possible, from ISPs that forgot to disable RIP on the customer-facing side of their routers, thus propagating some customer's RFC1918 routes into their access network (obviously kindof a configuration fuckup on that customer's side as well) to other ISPs that put multiple customers into a common ethernet segment/VLAN, so you could talk to your neighbour's router's WAN interface if you were a customer of the same ISP. In any case, if you are responsible for the security of your network, your security boundary most definitely should be in your router, not somewhere in the ISP's network, where nothing of that sort is even legally guaranteed. |