NIST IPv6 document
rdobbins at arbor.net
Thu Jan 6 01:50:17 CST 2011
On Jan 6, 2011, at 1:51 PM, Joe Greco wrote:
> There are numerous parallels between physical and electronic security.
> Let's just concede that for a moment.
I can't, and here's why:
1. In the physical world, attackers run a substantial risk of being caught, and of tangible, severe penalties if that eventuality comes to pass; in the online world, the risk of being caught is nil.
2. In the physical world, attackers have a limited number and variety of resources they can bring to bear; in the online world, the attackers have near-infinite resources, for all practical purposes.
3. In the physical world, the attackers generally don't posses the ability nor the desire to bring the whole neighborhood crashing down around the ears of the defenders; in the online world, they almost always have the ability, and often the desire, to do just that.
> Making it harder to scan a network *can* and *does* deter certain classes of attacks.
But as I've tried to make clear, a) I don't believe that sparse addressing does in fact make it harder to scan the network, due to hinted scanning via DNS/routing/whois/ND/multicast, b) I believe that pushing the attackers towards hinted scanning will have severe second-order deleterious effects on DNS/network infrastructure/whois, resulting in an overall loss in terms of security posture, and c) I don't believe that attackers will cease pseudo-randomized scanning, and d) I believe that in fact they will throw vastly more resources at both hinted and pseudo-randomized scanning, that they have near-infinite resources at their disposal (with an ever-expanding pool of potential resources to harness), and that the resultant increase in scanning activity will also have severely deleterious second-order effects on the security posture of the Internet as a whole.
In short, I'm starting from a substantially different, far more pessimistic set of base premises, and therefore draw a far more negative set of resulting inferences.
I don't believe the sky is falling; I believe it's already fallen, and that we're just now starting to come to grips with some of the ramifications of its fall.
In my view, an IPv6 Internet is considerably less secure, and inherently less securable, than the present horribly insecure and barely securable IPv4 Internet; furthermore, I believe that many of the supposed 'security' measures being touted for IPv6 are at best placebos, and at worst are iatrogenic in nature.
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay
More information about the NANOG