NIST IPv6 document

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jan 6 16:28:56 UTC 2011


On Thu, 06 Jan 2011 07:50:17 GMT, "Dobbins, Roland" said:
> In my view, an IPv6 Internet is considerably less secure, and inherently less
> securable, than the present horribly insecure and barely securable IPv4
> Internet;

Playing devil's advocate for a moment...

Even if an IPv6 network is 10 times as insecure as a similarly configured IPv4
network, they are both as dust motes in a tornado given the incredibly insecure
state of most endpoints on the network.  Last I looked, there's a lot less
scanning of subnets looking for probably-firewalled-by-default-anyhow systems
because it's just so much easier to to whack the systems in a drive-by attack
when the system visits a compromised web page...

And the "ZOMG they can overflow the ARP/ND/whatever table" is a total red
herring - you know damned well that if a script kiddie with a 10K node botnet
wants to hose down your network, you're going to be looking at a DDoS, and it
really doesn't matter whether it's SYN packets, or ND traffic, or forged ICMP
echo-reply mobygrams.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110106/3367dd89/attachment.sig>


More information about the NANOG mailing list