NIST IPv6 document

Fri Jan 7 19:44:16 UTC 2011

On Jan 7, 2011, at 6:23 AM, Tim Chown wrote:

> 
> On 6 Jan 2011, at 18:20, Owen DeLong wrote:
> 
>> 
>> On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:
>> 
>>> 
>>> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
>>> 
>>>> Packing everything densely is an obvious problem with IPv4; we learned early on that having a 48-bit (32 address, 16 port) space to scan made
>>>> port-scanning easy, attractive, productive, and commonplace.
>>> 
>>> I don't believe that host-/port-scanning is as serious a problem as you seem to think it is, nor do I think that trying to somehow prevent host from being host-/port-scanned has any material benefit in terms of security posture, that's our fundamental disagreement.
>>> 
>> You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.
> 
> In our IPv6 enterprise we have not seen any 'traditional' port scans (across IP space), rather we see port sweeps on IPv6 addresses that we expose publicly (DNS servers, web servers, MX servers etc).   This is discussed a bit in RFC5157.
> 
Good for you. We have seen actual host-scanning. It hasn't been particularly successful (firing blind into a very large ocean hoping to hit a whale rarely is), but,
nonetheless, we've seen scans go at it for up to 8 hours before they were terminated by the originator. (Very little of a /64 gets scanned in 8 hours, however).

> We have yet to see any of the ND problems discussed in this thread, mainly I believe because our perimeter firewall blacks any such sweeps before they hit the edge router serving the 'attacked' subnet.
> 
Likewise, we haven't seen them. Not even with the active scanning that has been touted as the likely cause thereof.

> The main operational problem we see is denial of service caused by unintentional IPv6 RAs from hosts.
> 
Yep... Push your switch vendors for RA-Guard. This is a very real problem. Right up there with un-intentional 6to4 gateways that don't
lead anywhere.

Owen