NIST IPv6 document
Joe Greco
jgreco at ns.sol.net
Thu Jan 6 01:57:28 UTC 2011
> > This is a much smaller issue with IPv4 ARP, because routers generally
> > have very generous hardware ARP tables in comparison to the typical
> > size of an IPv4 subnet.
>
> no it isn't, if you've ever had your juniper router become unavailable
> because the arp policer caused it to start ignoring updates, or seen
> systems become unavailable due to an arp storm you'd know that you can
> abuse arp on a rather small subnet.
It may also be worth noting that "typical size of an IPv4 subnet" is
a bit of a red herring; a v4 router that's responsible for /16 of
directly attached /24's is still able to run into some serious issues.
What's more important is the rate at which scanning can occur, which
is largely a function of (for a remote attacker) speed of connection
to an upstream; this problem is getting worse.
A practical lesson is the so-called "Kaminsky DNS vulnerability" (which
Kaminsky didn't actually discover - This issue was known back around
2000, at least, but at the time was deemed impractical to exploit due
to bandwidth and processing limitations). We do need to be aware that
continued increases in the available resources will change the viability
of attacks in the future.
The switch from IPv4 to IPv6 itself is such a change; it renders random
trolling through IP space much less productive. We should not lose sight
of the fact that this is generally a very positive feature; calls for
packing IPv6 space more tightly serve merely to marginalize that win.
We should be figuring out ways to make /64's work optimally, because in
ten years everyone's going to have gigabit Internet links and we're
going to need all the tricks we can muster to make an attacker's job
harder.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG
mailing list