European ISP enables IPv6 for all?

Mohacsi Janos mohacsi at niif.hu
Wed Dec 19 16:26:04 UTC 2007




On Wed, 19 Dec 2007, Iljitsch van Beijnum wrote:

>
> On 19 dec 2007, at 16:16, Jay R. Ashworth wrote:
>
>>> I'd say that the huge address space makes life impossible for scanning
>>> worms.
>
>>> That doesn't mean that there can be no successful scanning at all with
>>> IPv6, but it needs to be highly targeted if you want results the same
>>> year, so just pumping random numbers in the destination address field
>>> like SQL slammer did so successfully doesn't cut it in IPv6.
>
>> Just so we're all thinking about it; the issue isn't the size of the
>> address space, it's the sparseness of populated addresses.  That won't
>> *necessarily* always be true.
>
> Well, if you can scan the whole space (at 15 kpps 80 hours for the entire 
> IPv4 space although with random generation it's going to take longer than 
> that) sparseness isn't a huge issue. If you can't scan the whole space (at 15 
> kpps 7.1 x 10^26 years for the entire IPv6 space) then sparseness becomes a 
> consideration. But I still don't see how random scanning is going to do you 
> much good: either so few IPv6 hosts are vulnerable that scanning for them 
> isn't worth the time, or so many that if you can scrape some IPv6 addresses 
> from the web you can infect those and they'll infect all the networks they 
> connect to (scanning a LAN locally is easy).


Agreed. LAN scanning is bigger problem. I usually emphasize this point in 
my IPv6 security presentations: If you can compromise a single system -> 
You are inside! Then LAN scanning is possible. Thus security of the 
systems and applications will become more important in the future!

Best Regards,

Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882




More information about the NANOG mailing list