NIST IPv6 document

George Bonser gbonser at seven.com
Wed Jan 5 22:16:54 CST 2011


> 
> I've understood the problem for years, thanks, and have commented on
it
> in other portions of this thread, as well as in may earlier threads
> around this general set of issues - and it's completely orthogonal to
> this particular discussion.

I suppose what confused me was this:

"
I don't believe that host-/port-scanning is as serious a problem as you
seem to think it is, nor do I think that trying to somehow prevent host
from being host-/port-scanned has any material benefit in terms of
security posture, that's our fundamental disagreement.

If I've done what's necessary to secure my hosts/applications,
host-/port-scanning isn't going to find anything to exploit
(overly-aggressive scanning can be a DoS vector, but there are ways to
ameliorate that, too).
"

I thought the entire notion of actually getting to a host was orthogonal
to the discussion as that wasn't the point.  It wasn't about
exploitation of anything on the host, the discussion was about the act
of scanning a network itself being the problem.

If network devices can be degraded simply by scanning the network, it is
going to become *very* commonplace.  But the sets of problems are
different for an end user network vs. a service provider network.  For a
transit link you might disable ND and configure static neighbors which
would inoculate that link from such a neighbor table exhaustion attack.
For an end network, the problems are different.




More information about the NANOG mailing list