NIST IPv6 document
Joe Greco
jgreco at ns.sol.net
Thu Jan 6 05:17:58 UTC 2011
> > It has nothing to do with "security by obscurity".
>
> You may wish to re-read what Joe was saying - he was positing sparse addres=
> sing as a positive good because it will supposedly make it more difficult f=
> or attackers to locate endpoints in the first place, i.e., security through=
> obscurity. I think that's an invalid argument.
That's not necessarily security through obscurity. A client that just
picks a random(*) address in the /64 and sits on it forever could be
reasonably argued to be doing a form of security through obscurity.
However, that's not the only potential use! A client that initiates
each new outbound connection from a different IP address is doing
something Really Good.
It may help to think of your Internet address plus port number as
being just a single quantity in some senses. As it stands with IPv4,
when you "see" packets from 12.34.56.78, you pretty much know there's
a host or something interesting probably living there. You can then
try to probe one of ~64K ports, or better yet, all of them, and you
have a good chance of finding something of interest. If you have
potentially 80 bits of space to probe (16 bits of ports on each of
64 bits of address), you're making a hell of a jump.
If you don't understand the value of such an increase in magnitude,
I invite you to switch all your ssh keys to 56 bit.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG
mailing list