NIST IPv6 document

• Previous message (by thread): NIST IPv6 document
• Next message (by thread): NIST IPv6 document
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 6, 2011 at 12:54 AM, Joe Greco <jgreco at ns.sol.net> wrote:
> I'm starting off with the assumption that knowledge of the host
> address *might* be something of value.  If it isn't, no harm done.
> If it is, and the address becomes virtually impossible to find, then
> we've just defeated an attack, and it's hard to see that as anything
> but positive.

I'm starting off with the assumption that the layer-3 network needs to
function for the host machines to be useful.  Your position is to just
hand any attacker an "off switch" and let them disable any (LAN |
router, depending on router failure mode) for which they know the
subnet exists, whether or not they know any of its host addresses.

This is a little like spending money on man-traps and security guards,
but running all your fiber through obvious ducts in a public parking
garage.  It may be hard to compromise the hosts, but taking them
offline is trivial.

On Thu, Jan 6, 2011 at 1:01 AM, Kevin Oberman <oberman at es.net> wrote:
> I am amazed at the number of folks who seem to think that there is time to
> change IPv6 is ANY significant way. Indeed, the ship has failed. If you
> r network is not well along in getting ready for IPv6, you are probably
> well on you way to being out of business.

There are many things that can change very easily.  Vendors can add
knobs, subnet size can get smaller (it works just fine today, it just
isn't "standard"), and so on.  A TCP session today looks a lot
different than it did in the mid-90s.  Now we have things like SYN
cookie, window scaling, we even went through the "hurry up and
configure TCP MD5 on your BGP just in case."  Fixing this problem by
deploying subnets as a /120 instead of a /64 is a lot easier than any
of those changes to TCP, which all required operating system
modifications on one or both sides.  How many networks honor ICMP
route-record, source routing, or make productive use of redirects (if
they have not outright disabled it?)  How many networks decided to
block all ICMP traffic because some clueless employee told them it was
smart?  CIDR routing?  Do you recall that the TTL field in IP headers
was originally not a remaining-hops-count, but actually, a value in
seconds (hence "Time To Live")?  IPv4, and the things built on top of
it, have evolved tremendously, some, all the way to the host network.

A lot of this evolution took place before it was common to conduct a
credit card transaction over the Internet, at a time when it really
was not mission-critical for most operators.  IPv6 is still not there,
but I agree, we are rapidly approaching that time, and much more than
90% of IPv4 networks have a lot of work to do.  It would be good to
see LANs smaller than /64 accepted sometime before IPv6 does become
widely-deployed to end users.

Or some other practical solution to the problems of huge subnet sizes,
whatever those solutions may be.  My guess is there may be other, very
significant, challenges to having huge LAN subnets.  This is one we
actually know about, but are choosing not to solve.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts

• Previous message (by thread): NIST IPv6 document
• Next message (by thread): NIST IPv6 document
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]