NIST IPv6 document

Joe Greco jgreco at ns.sol.net
Thu Jan 6 16:44:18 UTC 2011


> On Jan 6, 2011, at 1:51 PM, Joe Greco wrote:
> > There are numerous parallels between physical and electronic security.
> > Let's just concede that for a moment.
> 
> I can't, and here's why:
> 
> 1.	In the physical world, attackers run a substantial risk of being caught,=
>  and of tangible, severe penalties if that eventuality comes to pass; in th=
> e online world, the risk of being caught is nil.

That's not true, and we see examples of it happening periodically.

> 2.	In the physical world, attackers have a limited number and variety of re=
> sources they can bring to bear; in the online world, the attackers have nea=
> r-infinite resources, for all practical purposes.

No, they don't.  They have a different set of resources.  They may be able
to fill your transit connections, but they probably cannot cause your line 
cards to start on fire, or your switches to come unscrewed from the rack,
things that real-world attackers can do.  In the physical world, attackers
have a near-infinite selection of attacks.  If I really want into your house,
for example, I can get there.  It might be by breaking through a door, or by
smashing a window, or (my favorite) by taking my Sawzall and a demolition bit
and putting a hole through your wall.  I can convince your kids that I'm a
policeman and there's a bad man in the house.  I can sleep with your wife and
gain access that way.  We see parallels in the online world, different, but
vulnerable as well.

> 3.	In the physical world, the attackers generally don't posses the ability =
> nor the desire to bring the whole neighborhood crashing down around the ear=
> s of the defenders; in the online world, they almost always have the abilit=
> y, and often the desire, to do just that.

So?  That's a matter of what the goal of the attack is.  In the physical world,
we do indeed have some attackers who possess the ability and desire to bring
whole neighborhoods crashing down; we lost some great real estate about ten
years ago in lower Manhattan due to such nutjobs, and suicide bombers are a
fact of life in some areas of the world.  Electronic attacks are more likely 
to result in electronic "crashing down" for a variety of reasons, one of which 
is that overwhelming things electronically is fairly easy and effective, but
the flip side to that is that the resulting damage is often just a short-term
outage (PayPal, Mastercard, etc., all seem to be back online after recent
attacks).

The fact that there are some differences between physical and electronic 
security doesn't mean that there aren't also many parallels.  It's probably
hard to permanently destroy electronic infrastructure.  Certain attacks, such
as on the facility (kill the cooling, rapidly toggle the power, etc) might be
effective in that sense.  It's easier to destroy stuff during a physical 
attack.  So that's different, fine.  However, the point of security is still
to try to convince a bad guy to go elsewhere, to find an easier target.  
When he has it out for you, though, it's basically a matter of whether or
not he's willing to do what is necessary.  That concept works for both the
real world and for the online world.

> > Making it harder to scan a network *can* and *does* deter certain classes=
>  of attacks.=20
> 
> But as I've tried to make clear, a) I don't believe that sparse addressing =
> does in fact make it harder to scan the network, due to hinted scanning via=
>  DNS/routing/whois/ND/multicast,

You don't have to believe it.  It certainly doesn't make it harder in all
cases, either.  No amount of randomization will make "www.foobar.com" less
readily identifiable with an AAAA pointing at it.  But there are other use
cases.  Consider, for example, /56 allocations to end users on a service
provider's network.  There'll be no DNS/routing/whois vectors there; there
might be ND/multicast vectors of some sort.  The point is, though, that the
guy with a /56 at the end of a cablemodem will be effectively unscannable
if he's using randomly-selected 4941 IP addresses.  And getting all righteous
about firewall configurations and how he should have a transparent proxying
firewall is fine, I agree, but the *real* world is that when his buddy tells
him that he's having problems running WoW because of the firewall and he can
do ${FOO} to turn it off, he's going to do that, because users are results-
oriented in a way that makes all of us groan.

So what I am looking for now is for you to explain to me how an end-user 
with a /56 (or even a /64!) on a cablemodem is not "harder to scan".

> b) I believe that pushing the attackers to=
> wards hinted scanning will have severe second-order deleterious effects on =
> DNS/network infrastructure/whois, resulting in an overall loss in terms of =
> security posture, 

I don't buy that.  I believe that things like DNS and whois are natural
candidates for additional layers of application level protection, and that
application level protection scales more readily than things done closer to
the wire.  We're already seeing whois services protected by query-rate limits,
and there's no reason DNS cannot be protected similarly.

> and c) I don't believe that attackers will cease pseudo-r=
> andomized scanning, and d) I believe that in fact they will throw vastly mo=
> re resources at both hinted and pseudo-randomized scanning, that they have =
> near-infinite resources at their disposal (with an ever-expanding pool of p=
> otential resources to harness), and that the resultant increase in scanning=
>  activity will also have severely deleterious second-order effects on the s=
> ecurity posture of the Internet as a whole.

Fair enough.  I see where you're coming from and why you believe that, and
it might even become true.

On the flip side, however, I would point out that attackers have had vastly
more resources made available to them in part *because* IPv4 has been so
easily scanned and abused.  To be sure, a lot of viruses have spread via
e-mail spam and drive-by downloads, and sparse addressing will not prevent
script kiddies from banging away on ssh brute force attacks against 
www.yoursite.com.  But there's been a lot of spread through stupidity as
well.

Further, the sheer magnitude of the task of random scanning means that any
actual random scanning of /64 networks will be ineffective; this leaves us
to discuss ways to minimize the "pseudo" in pseudo-random scanning, and to
see what can be done about hinted scanning.  I think there's room for some
constructive discussion there.

> In short, I'm starting from a substantially different, far more pessimistic=
>  set of base premises, and therefore draw a far more negative set of result=
> ing inferences.

I hope you'll understand that I'm trying to get a feel for all of that.

> I don't believe the sky is falling; I believe it's already fallen, and that=
>  we're just now starting to come to grips with some of the ramifications of=
>  its fall. =20
> 
> In my view, an IPv6 Internet is considerably less secure, and inherently le=
> ss securable, than the present horribly insecure and barely securable IPv4 =
> Internet; furthermore, I believe that many of the supposed 'security' measu=
> res being touted for IPv6 are at best placebos, and at worst are iatrogenic=
>  in nature.

I don't see that.  I see potential issues with ND, for example, but I
don't see the potential for things like 4941 as "considerably less
secure."  Unless you're one of the people who are in favor of running
everything through NAT as a form of "firewall", or things like that.
I understand the desire there, too, though I think it's horribly
broken...

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list