NIST IPv6 document

Joe Greco jgreco at ns.sol.net
Thu Jan 6 00:51:44 CST 2011


> On Jan 6, 2011, at 12:54 PM, Joe Greco wrote:
> 
> > Generally speaking, security professionals prefer for there to be more ro=
> adblocks rather than fewer. =20
> 
> The soi-disant security 'professionals' who espouse layering unnecessary mu=
> ltiple, inefficient, illogical, and iatrogenic roadblocks in preference to =
> expending the time and effort to learn enough about *actual* security (in c=
> ontrast to security theater) to Do Things Right The First Time, aren't wort=
> hy of the title and ought to be ignored, IMHO.
> 
> > If it is, and the address becomes virtually impossible to find, then we'v=
> e just defeated an attack, and it's hard to see that as anything but positi=
> ve.
> 
> If we had some cheese, we could make a ham-and-cheese sandwich, if we had s=
> ome ham.
> 
> ;>
> 
> We must face up to the reality that the endpoint *will be found*, irrespect=
> ive of the relative sparseness or density of the addressing plan.  It will =
> be found via DNS, via narrowing the search scope via examining routing adve=
> rtisements, via narrowing the search scope via perusing whois, via the atta=
> ckers simply throwing more of their near-infinite scanning resources (i.e.,=
>  bots) at these dramatically-reduced search scopes.
> 
> So, the endpoint will be found, no attack will be prevented, and we end up =
> a) wasting wide swathes of address space for no good reason whilst b) makin=
> g the routing/switching infrastructure elements far more vulnerable to DoS =
> by turning them into sinkholes.

That's, simply put, a poor argument.  And here's why.

There are numerous parallels between physical and electronic security.
Let's just concede that for a moment.

You put up a screen door.  I've got a knife.

You put up a wood door.  I've got steel toed boots.

You put up a metal door.  I've got a crowbar.

You put up a bank vault door.  I (can find someone who can get) explosives.

The thing is, it may not make a whole heck of a lot of sense to put a
screen door on a bank's vault, or a vault door on your front screen
porch.  Even so, while you can increase the strength of a particular
countermeasure, maybe it isn't smart to rely entirely on that one
countermeasure, or even two or three countermeasures.

A bank may have an armed guard, a silent alarm, video surveillance,
bulletproof glass, dye packs in the tills, cash in a timelocked vault, 
and all sorts of other countermeasures to address specific areas of 
threat.

Not all countermeasures are going to be effective against every
threat, and there is no requirement that only one countermeasure
be applied towards a given threat.

Further, there's no guarantee that the countermeasures are going to
be properly installed or appropriate to the task - which seems to be
your objection to "soi-disant security 'professionals'" - but on the
other hand, in many cases, they *are* properly installed and well
considered.

To say that "the endpoint *will be found*" is a truism, in the same
way that a bank *will* be robbed.  You're not trying to guarantee that
it will never happen.  You're trying to *deter* the bad guys.  You want
the bad guy to go across the street to the less-well-defended bank
across the street.  You can't be sure that they'll do that.  Someone
who has it out for you and your bank will rob your bank (or end up
in jail or dead or whatever).  But you can scare off the guy who's
just looking to score a few thousand in easy cash.

Making it harder to scan a network *can* and *does* deter certain 
classes of attacks.  That it doesn't prevent every attack isn't a
compelling proof that it doesn't prevent some, and I have to call what
you said a poor argument for that reason.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list