NIST IPv6 document

Joe Greco jgreco at ns.sol.net
Thu Jan 6 20:18:20 CST 2011


> 
> On Jan 5, 2011, at 9:17 PM, Joe Greco wrote:
> 
> >>> It has nothing to do with "security by obscurity".
> >>=20
> >> You may wish to re-read what Joe was saying - he was positing sparse =
> addres=3D
> >> sing as a positive good because it will supposedly make it more =
> difficult f=3D
> >> or attackers to locate endpoints in the first place, i.e., security =
> through=3D
> >> obscurity.  I think that's an invalid argument.
> >=20
> > That's not necessarily security through obscurity.  A client that just
> > picks a random(*) address in the /64 and sits on it forever could be
> > reasonably argued to be doing a form of security through obscurity.
> > However, that's not the only potential use!  A client that initiates
> > each new outbound connection from a different IP address is doing
> > something Really Good.
> >=20
> If hosts start cycling their addresses that frequently, don't you run =
> the risk of that becoming a form of DOS on your router's ND tables?

It could, but given the changes we've seen in the last twenty years, I
have no reason to expect that this won't become practical and commonplace
in IPv6.  I think it is a matter of finding the right enabling 
technologies, and as others have noted, what currently exists for IPv6
isn't necessarily the best-of-breed.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list