NIST IPv6 document

Owen DeLong owen at delong.com
Fri Jan 7 02:10:33 UTC 2011


On Jan 6, 2011, at 3:32 PM, Dobbins, Roland wrote:

> 
> On Jan 7, 2011, at 1:20 AM, Owen DeLong wrote:
> 
>> You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.
> 
> I know it's common and widely-practiced.  My point is that if the host is security properly, this doesn't matter; and that if it isn't secured properly, it's going to be found via hinted scanning and exploited, anyways.
> 
True, but, that doesn't really matter. Sparse addressing still provides other useful benefits.

>> And there are ways to mitigate ND attacks as well.
> 
> As has been pointed out elsewhere in this thread, not to the degree of control and certainty needed in production environments.
> 
We can agree to disagree here until I see a production environment get taken down by a scan.

So far, we've not had a problem with any of the IPv6 scans through our network. All have given up in <8 hours without
having caused any sort of ND table overflow issues.

>> Sparse addressing is a win for much more than just rendering scanning useless, but, making scanning useless is still a win.
> 
> 
> Since it doesn't make scanning useless (again, hinted scanning), that 'win' is gone.  How else is it supposedly a win?
> 
Not having to worry about room to grow without renumbering is a good thing.
I've posted other advantages in an earlier message.

It does make sequential scanning useless and it does make even hinted scanning a bit more difficult or
less effective.

Think of the difference between playing battleship as it is traditionally played on a simple X, Y grid
vs. playing it on a playing field where the ships have 180 different possible orientations (1 per degree
instead of 0º and 90º only)

Once you get a hit, you need a maximum of 4 additional attempts to identify the orientation of the
ship and 50%+ of the time you can get it in ≤2 additional attempts. With a 360º board, this becomes
quite a bit more difficult.

Sparse addressing does this even against hinted scanning.

Owen





More information about the NANOG mailing list