Assigning IPv6 /48's to CPE's?

James Hess mysidia at gmail.com
Sat Jan 5 05:04:24 UTC 2008


On Jan 4, 2008 6:02 PM, Rick Astley <jnanog at gmail.com> wrote:

> I know large mostly unused pools of client IP's make it more difficult to
> use traditional worm propagation methods in IPv6[1], but if customers move
> from IPv4 "firewalls" to IPv6 "routers", we still lose an important layer of
> security.

Seems like an understatement.   Ipv6 addressing doesn't merely make
them more difficult,
they make traditional propagation methods  and attack techniques that rely
on 'scanning' a network  from outside impossible to execute.

If every subnet (end site) has a /64, and you can guess 16 of those
bits (say most
networks set the top 16 bits to zero and generate the rest using a
true random number
generator, for security's sake),   there are so many IPs that random
scanning has a
probability of finding hosts so small, it is negligible....

It would take  9 years to  probe 10% of the addresses of a single end site,
assuming you can scan   100,000  ips per second.


If the host id is sufficiently random or opaque to the outside world,
then this is
every bit as good as a well chosen password; it is essentially private, except
to nodes on the local subnet    (who can monitor and ping multicast addresses).


I don't believe a worm can't effectively propagate and spend 10 years
trying to find
the IP address  of the one or two computers at site X before moving to
site Z that
has 4 computers in  a /64 some where...



A worm that has to connect to a remote machine would definitely have to
discern the IP through some method other than brute force scanning.

Such as a clean system contacting an infected system to make a request
(i.e. download a webpage)  At which time the infected system stores
requestor's ip in a
database to probe later.


On the other hand, an  IPv6  host could in theory bind a new IP address for each
group of web requests,  not attach any listeners to that IP, and make
that IP cease to
exist after the web requests complete.

Since the /64 is so large...  this essentially accomplishes what NAT
does for IPv4 users...
the IP address is private, by virtue of the fact, that the host
primary interface
address cannot be guessed.

Even if it is guessed, firewall rules may  block traffic from the
probing address long
before they get close to randomly  hitting a live IP :)

--
-J



More information about the NANOG mailing list