just seen my first IPv6 network abuse scan, is this the start for more?

Leo Bicknell bicknell at ufp.org
Fri Sep 3 20:49:51 UTC 2010

In a message written on Fri, Sep 03, 2010 at 04:33:23PM -0400, Deepak Jain wrote:
> Moreover, when every enterprise has a /48 or better, network admins are going to need to be able to track down machines/devices/ear pieces/what have you on a better basis then trapping them when they speak up. There is a huge potential for sleepers in IPv6 space that we don't see any more in IPv4 (because the tools are better). Eventually someone will find an approach to do this kind of surveying and then make it cheap enough everyone can do it. (how often do security-admins use NMAP/Nessus/what have you to survey their own space -- an IPv6 analog will *need* to be created eventually).

If you are the network admin, walking the L2 devices MAC tables and
comparing with the L3 devices ARP/ND/whatever tables is likely more
efficient for sparse address space.

Also keep in mind, IPv6 devices will often have multiple addresses,
and may move addresses quite regularly.  For instance, I use "privacy"
or "temporary" addresses, my machine hops to a new IPv6 address
every 10 minutes.  A scan will likely be out of date before it
completes for these sorts of addresses.

       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100903/cc567044/attachment.sig>

More information about the NANOG mailing list