NIST IPv6 document

Joe Greco jgreco at ns.sol.net
Wed Jan 5 23:17:58 CST 2011


> > It has nothing to do with "security by obscurity".
> 
> You may wish to re-read what Joe was saying - he was positing sparse addres=
> sing as a positive good because it will supposedly make it more difficult f=
> or attackers to locate endpoints in the first place, i.e., security through=
>  obscurity.  I think that's an invalid argument.

That's not necessarily security through obscurity.  A client that just
picks a random(*) address in the /64 and sits on it forever could be
reasonably argued to be doing a form of security through obscurity.
However, that's not the only potential use!  A client that initiates
each new outbound connection from a different IP address is doing
something Really Good.

It may help to think of your Internet address plus port number as
being just a single quantity in some senses.  As it stands with IPv4,
when you "see" packets from 12.34.56.78, you pretty much know there's
a host or something interesting probably living there.  You can then
try to probe one of ~64K ports, or better yet, all of them, and you
have a good chance of finding something of interest.  If you have
potentially 80 bits of space to probe (16 bits of ports on each of
64 bits of address), you're making a hell of a jump.

If you don't understand the value of such an increase in magnitude,
I invite you to switch all your ssh keys to 56 bit.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list