Article: IPv6 host scanning attacks

Karl Auer kauer at biplane.com.au
Wed Jun 13 23:24:09 UTC 2012


On Wed, 2012-06-13 at 15:22 -0500, STARNES, CURTIS wrote:
> I have a slight problem with stating that "Vast IPv6 address space
> actually enables IPv6 attacks".

So do I. Compared to IPv4, scanning IPv6 is much, much harder, and that
is (I think) the most important thing to know.

The analysis was good in that it offered a bit of consideration to the
scanning issue, but...

"Some estimates peg the length of time for a host-scanning attack on a
single IPv6 subnet at 500,000,000 years!"

It's not an estimate. It's a approximation based on scanning a /64
subnet at a thousand probes per second. 18 billion billion (addresses in
one /64) divided by one thousand, divided by 31536000 (the number of
seconds in a year) - works out to about 500,000,000.

>                 .Embed the MAC address;
>                 .Employ low-byte addresses;
>                 .Embed the IPv4 address;
>                 .Use a "wordy" address;
>                 .Use a privacy or temporary address;
>                 .Rely on a transition or coexistence technology.

Why do you not mention DHCP in this list? You do mention it elsewhere.
DHCPv6 will in general supply random addresses. You say that "some"
DHCPv6 servers produce sequential addresses - could you please give an
example? I use Nominum's DCS, which certainly does NOT do this very
foolish thing.

Low-byte addresses are generally going to be on high-value devices,
which will usually be servers (whose existence is thus public knowledge
anyway) or network fabric devices (who will be very solidly protected by
firewalls, generally requiring no access from outside at all, or even
access from most of the inside network either).

Embedded IPv4 addresses are going to be a reducing problem, and in the
scenario you mention, as well as in most other scenarios, again mostly
on machines that have very strong protections from firewalls and their
own packet filters.

Wordy addresses will be an issue for some vanishingly small percentage
of systems, and generally systems that their owners want people to see
(Facebook being a good example). These are generally going to be systems
whose existence is public knowledge anyway.

All transition technologies are a reducing problem. The primary
transition technology - dual stack - has no technology-specific problems
in respect of scanning (except perhaps that the scanner, at least in
theory, gets two bites at the cherry).

I think you are making a minor issue look far bigger than it is. I feel
the privacy issues around SLAAC are far more significant in the real
world than any threat from scanning.

Regards, K.

PS: I still like your RFC about stable privacy addresses.

PPS: There seems to be a diagram missing in the discussion of embedded
MAC addresses, after the word "syntax".



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687





More information about the NANOG mailing list