NIST IPv6 document

• Previous message (by thread): NIST IPv6 document
• Next message (by thread): NIST IPv6 document
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jan 5, 2011, at 1:15 PM, Jeff Wheeler wrote:

> I notice that this document, in its nearly 200 pages, makes only casual mention of ARP/NDP table overflow attacks, which may be among
> the first real DoS challenges production IPv6 networks, and equipmentvendors, have to resolve. 

They also only make small mention of DNS- and broadcast-hinted scanning, and none at all of routing-hinted scanning.

> It has been pointed out to me that I should have been more vocal when IPv6 was still called IPng, but in 16 years, there has been nothing done
> about this problem other than water-cooler talk. 

Likewise.  I never in my wildest dreams thought that such a bag of hurt, with all the problems of IPv4 *plus* its own inherent problems - in *hex*, no less -  would end up being adopted.  I was sure that the adults would step in, at some point, and get things back on a more sensible footing. 

Obviously, I'm the biggest idiot on the Internet, and have only my own misplaced faith in the IAB/IETF process to blame, heh.

The authors of the document also make only small mention of the dangers of extension header-driven DoS for infrastructure, but at least they mention it, which puts them ahead of most folks in this regard.

They also fail to mention the dangers represented by the consonance of the English letters 'B', 'C', 'D', and 'E'.  My guess it that billions of USD in outages, misconfigurations, and avoidable security incidents will result from verbal miscommunication of these letters, yet another reason why adopting a hexadecimal numbering scheme was foolish in the extreme.  Ah, well, no use crying over spilt milk.

The document itself is a good tutorial on IPv6, and it's great that the authors did indeed touch upon these security concerns, but the security aspect as a whole is seemingly deliberately understated, which does a disservice to the lay reader.  One can only imagine that there were non-technical considerations which came into play.

------------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

			  -- Alan Kay

• Previous message (by thread): NIST IPv6 document
• Next message (by thread): NIST IPv6 document
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]