Failure modes: NAT vs SPI

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Feb 7 16:43:44 UTC 2011


On Mon, 07 Feb 2011 11:15:51 EST, Jay Ashworth said:
> > From: "Iljitsch van Beijnum" <iljitsch at muada.com>
> > This is of course a very big problem, and one of the reasons why
> > everyone who's tried IPv6 immediately turns it off again: script
> > kiddies are continuously scanning the entire IPv6 address space so
> > this happens to regular IPv6 users all the time.
> 
> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...

Iljitsch's claim is that enough script kiddies *are* doing it now that people's
routers crash and they turn off IPv6, not that "people are so scare of it they
panic and turn it off before they see if it's a problem".

For what it's worth, I've never seen an IPv6 scan cause a problem for our
network.  Not saying that such a scan *wouldn't* cause a problem, but the fact
we've been doing it for over a decade and not seen a big problem seems to go
counter to "everyone who turns on IPv6 gets hit by it".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110207/a4c7437f/attachment.sig>


More information about the NANOG mailing list