NIST IPv6 document

Owen DeLong owen at
Thu Jan 6 20:10:33 CST 2011

On Jan 6, 2011, at 3:32 PM, Dobbins, Roland wrote:

> On Jan 7, 2011, at 1:20 AM, Owen DeLong wrote:
>> You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.
> I know it's common and widely-practiced.  My point is that if the host is security properly, this doesn't matter; and that if it isn't secured properly, it's going to be found via hinted scanning and exploited, anyways.
True, but, that doesn't really matter. Sparse addressing still provides other useful benefits.

>> And there are ways to mitigate ND attacks as well.
> As has been pointed out elsewhere in this thread, not to the degree of control and certainty needed in production environments.
We can agree to disagree here until I see a production environment get taken down by a scan.

So far, we've not had a problem with any of the IPv6 scans through our network. All have given up in <8 hours without
having caused any sort of ND table overflow issues.

>> Sparse addressing is a win for much more than just rendering scanning useless, but, making scanning useless is still a win.
> Since it doesn't make scanning useless (again, hinted scanning), that 'win' is gone.  How else is it supposedly a win?
Not having to worry about room to grow without renumbering is a good thing.
I've posted other advantages in an earlier message.

It does make sequential scanning useless and it does make even hinted scanning a bit more difficult or
less effective.

Think of the difference between playing battleship as it is traditionally played on a simple X, Y grid
vs. playing it on a playing field where the ships have 180 different possible orientations (1 per degree
instead of 0º and 90º only)

Once you get a hit, you need a maximum of 4 additional attempts to identify the orientation of the
ship and 50%+ of the time you can get it in ≤2 additional attempts. With a 360º board, this becomes
quite a bit more difficult.

Sparse addressing does this even against hinted scanning.


More information about the NANOG mailing list