(IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

• Previous message (by thread): (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
• Next message (by thread): (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As long as they have a reasonable expiry process, it could work. After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.

While that’s nota. Completely effective throttle, as long as your expiry process can keep up and your TTL doesn’t exceed your ring buffer size, it should be theoretically OK.

Owen


> On Feb 5, 2023, at 02:44, Fernando Gont <fgont at si6networks.com> wrote:
> 
> Hi, All,
> 
> Recently, I happened to participate in an IPv6 deployment meeting with some large content provider, and said meeting included a discussion about how to mitigate some attacks using block-lists. These folks argued that they ban offending IPv6 addresses as /128s, following IPv4 practices.
> 
> So it seemed to me that some of the implications arising from the increased IPv6 address space were non-obvious to them.  -- that has been the motivation for the publication of this document.
> 
> * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
> * HTML: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html
> 
> Comments welcome!
> 
> P.S.: The document is targeted at the IETF opsec wg (https://www.ietf.org/mailman/listinfo/opsec), but I'll be happy to discuss it on this mailing-list, off-list, or at the opsec wg mailing-list...
> 
> Thanks!
> 
> Regards,
> Fernando
> 
> 
> 
> 
> -------- Forwarded Message --------
> Subject: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt
> Date: Thu, 02 Feb 2023 19:48:40 -0800
> From: internet-drafts at ietf.org
> To: Fernando Gont <fgont at si6networks.com>, Guillermo Gont <ggont at si6networks.com>
> 
> 
> A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt
> has been successfully submitted by Fernando Gont and posted to the
> IETF repository.
> 
> Name:		draft-gont-opsec-ipv6-addressing
> Revision:	00
> Title:		Implications of IPv6 Addressing on Security Operations
> Document date:	2023-02-02
> Group:		Individual Submission
> Pages:		8
> URL: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
> Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/
> Htmlized: https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing
> 
> 
> Abstract:
>   The increased address availability provided by IPv6 has concrete
>   implications on security operations.  This document discusses such
>   implications, and sheds some light on how existing security
>   operations techniques and procedures might need to be modified
>   accommodate the increased IPv6 address availability.
> 
> 
> 
> 
> The IETF Secretariat
> 

• Previous message (by thread): (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
• Next message (by thread): (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]