Using IPv6 with prefixes shorter than a /64 on a LAN

Jimmy Hess mysidia at
Wed Jan 26 04:17:03 UTC 2011

On Tue, Jan 25, 2011 at 8:29 PM, Roland Dobbins <rdobbins at> wrote:
> On Jan 26, 2011, at 8:12 AM, Fernando Gont wrote:
>> Also, the claim that "IPv6 address scanning is impossible" is generally based on the (incorrect) assumption that host addresses are spread
>> (randomly) over the 64-bit IID. -- But they usually aren't.

> It also doesn't take into account hinted scanning via routing table lookups, whois lookups, and walking reverse DNS, not to mention making use of ND mechanisms once a single box on a given subnet has been successfully botted.

It's not that discovering IPv6 hosts is impossible -- it is just that
there's a very large mathematical obstacle between any brute force
attempt, and the hosts attempting to be discovered, that didn't exist
with IPv4.

It is fair to say in the aggregate that 'scanning is impossible'  with
IPv6,  but host discovery is not impossible.

Exhaustive scanning is what is basically impossible.  Hinted partial
scanning might yield  useful number of guessable host addresses to be
attempted;  that is,  if most networks  wind up using some guessable
IP addresses for possibly vulnerable hosts;   then someone/some where
will find it worth while to attempt  partial scanning of random
announced prefixes;   attempting to guess network IDs, then attempting
to guess lan host IDs.

The bots attempting partial scanning  will have to have a lot of ideas
about what addresses are most likely to be assigned, and some
mechanism of making a "tradeoff"   to decide when to give up on a
certain network and  move on to attempt  'partial scanning'  against
the next prefix.

DNS walking and ND mechanism use  are something different from scanning.
They are also less effective -- would-be intruder has to compromise a
host on LAN before ND can be of any use,  it doesn't help so much in
discovering LAN hosts on other subnets (if say compromised host is in
say a very small IPv6 DMZ isolated from potentially vulnerable hosts
in separated secure networks);    DNS walking is no good against hosts
not listed in DNS.

There are other methods of discovery as well,  but they are not close
in scale or 'ease of use' to what brute-force address space scanning
could easily accomplish with IPv4.


More information about the NANOG mailing list