(IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

Tue Feb 7 02:43:39 UTC 2023

Hi, Owen,

On 6/2/23 20:39, Owen DeLong wrote:
> As long as they have a reasonable expiry process, it could work.

What, specifically? Banning /128s?

> After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.

Yeah, but the whole point of banning is that the banned address is 
actually used by an attacker subsequently,

In other words, if:

1. The attacker employs one address for malicious purposes
2. You ban that address
3. The attacker changes the his/her address and goes back to #1

... you´d be doing yourself a disservice by adding addresses to the 
ban-list. You just pay penalties for no actual gain.

> 
> While that’s nota. Completely effective throttle, as long as your expiry process can keep up and your TTL doesn’t exceed your ring buffer size, it should be theoretically OK.

Memory is a limited resource. As soon as you consistently use memory 
iptables-rules slot to store more and more rules/addresses youĺl get no 
benefit from, the attacker is winning....

Thanks!

Regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494