Using IPv6 with prefixes shorter than a /64 on a LAN

Mark Smith nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Tue Jan 25 16:27:38 CST 2011


On Tue, 25 Jan 2011 16:32:59 -0500
"Ricky Beam" <jfbeam at gmail.com> wrote:

> On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong <owen at delong.com> wrote:
> > Seriously? Repetitively sweeping a /64? Let's do the math...
> ...
> 
> We've had this discussion before...
> 
> If the site is using SLAAC, then that 64bit target is effectively 48bits.   
> And I can make a reasonable guess at 24 of those bits. (esp. if I've seen  
> the address of even one of the machines.)
> 

All you're really pointing out is "security" is a relative term.

A lot of these threads devolve in to a waste of time because they're
discussing the pros and cons of a single, possible security mechanism
without considering it in context ("possible" because if it ends up
having no or very little security value it isn't really a "security
mechanism" at all). The value of a security mechanism can only be judged
in the context of both what threats they mitigate and whether those
threats are ones that are common and likely in the context they might be
used in. Security is a weakest link problem, so the first thing that
needs to be done is to identify the weakest links, before worrying about
how to fix them.

So what threat are people trying to prevent? Address scanning
is only a means to an end - so what is the "end"? Only once that is
defined can it be worked out whether address scanning is a likely method
attackers will use, and whether then preventing address scanning is an
effective mitigation.

Regards,
Mark.




More information about the NANOG mailing list