Using IPv6 with prefixes shorter than a /64 on a LAN

Roland Dobbins rdobbins at arbor.net
Tue Jan 25 22:30:56 CST 2011


On Jan 26, 2011, at 11:17 AM, Jimmy Hess wrote:

> There are other methods of discovery as well,  but they are not close in scale or 'ease of use' to what brute-force address space scanning
> could easily accomplish with IPv4.

Most botted hosts today are compromised in the first place via layer-7 exploits, not via scanning and network-based exploits.

Pushing the miscreants in the direction of hinted scanning will further strain already overloaded whois and DNS servers.

And just because iterative scanning is a crapshoot in IPv6, it costs attackers nothing to do it, anyways, and so they will.

So, the fact that IPv6 access networks can contain huge numbers of possible endpoint addresses as compared to IPv4 is largely irrelevant; and in fact will have negative consequences with regards to the second-order effects of hinted scanning.

------------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

			  -- Alan Kay





More information about the NANOG mailing list