NIST IPv6 document

Joe Greco jgreco at ns.sol.net
Thu Jan 6 08:29:10 CST 2011


> On Jan 6, 2011, at 2:03 PM, Matthew Petach wrote:
> > I think what people are trying to say is that it doesn't matter whether o=
> r not your host is easily findable or not, if I can trivially take out your
> > upstream router.

A good reason to see if there's a way to solve that (which there
is, I'm sure).

> That's part of it - the other part is that the host will be found, irrespec=
> tive of attempts to 'hide' it.

Sorry, but I see this as not grasping a fundamental security
concept.

You're not trying for DHS/TSA-style all-threats-always-prevented
threat elimination.  How many times do we have to learn that this
isn't a practical goal?  You want to make things more difficult for
an attacker while providing usability for authorized users.

Making a host harder to find (or more specifically to address from
remote) is a worthwhile goal.  Learn from history.  Ten years ago,
we *knew* DNS was "weak" due to the ultimate reliance on the 
transaction ID.  There weren't enough bits there to protect a DNS
server against certain types of attacks but that were deemed to
be impractical at the time; time passes, cpu's got faster, upstream
connections got faster, and suddenly some guy "discovers" that he 
can get a DNS server to do bad things if he floods it.  So now our
best current practices now have us using more bits, in the form of
random source ports, to help out there.  Even that's not a 
comprehensive fix - definitely won't be in another 20 years, when
bandwidth, cpu, and pps rates have all seen a factor of 10000 
increase again - but it's helpful for the time being.

Things like 4941 take that a lot further, and provide enough bits to
make both range scanning and scanning via learned addresses less
useful techniques.  The fact that you might be able to find a host
somehow anyways doesn't lessen the value of making it harder for an
attacker to find that host to begin with.  This is basic security,
whether or not you approve of it.  You're trying to make it harder
for bad guys.

There are lots of security techniques that I don't like, too, or may
disapprove of for one reason or another.  NAT anyone?  :-) 

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list