NIST IPv6 document

Jeff Kell jeff-kell at utc.edu
Wed Jan 5 22:21:57 CST 2011


On 1/5/2011 10:18 PM, Dobbins, Roland wrote:
> This whole focus on sparse addressing is just another way to tout security-by-obscurity.  We already know that security-by-obscurity is a fundamentally-flawed concept, so it doesn't make sense to try and keep rationalizing it in various domain-specific instantiations.

I agree.  It's not the hosts I'm worried about protecting, it's the
potential noise directed at the IPv6 space, intentional/irrational scan
or otherwise generated traffic.

Still, the idea that "nobody will scan a /64" reminds me of the days
when 640K ought to be enough for anybody, 56-bit DES ought to be good
enough to never be cracked, 10 megabits was astoundingly fast, a T1 was
more than enough commodity, and a 300-baud acoustic coupler was a modern
marvel.  I hesitate to write anything off to impossibility, having
witnessed the 8 to 16 to 32 to 64-bit processor progression :)  But
perhaps it's time for Moore to rest and we can make assumptions about
that impossibility.

Scanned or not, IPv6 still presents a "very large" route target.  Given
the transient / spoofed / backscatter / garbage / scan / script kiddie
noise that accidentally lands in my IPv4 space, I shudder to think of
the noise level of the many-orders-of-magnitude-greater IPv6 space.

And the "depth" of infrastructure at which you can decide the traffic is
bogus is much greater with IPv6.  Most will end up on the target network
anyway, no?

Jeff 




More information about the NANOG mailing list