(IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

William Herrin bill at herrin.us
Tue Feb 7 03:05:07 UTC 2023

On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont <fgont at si6networks.com> wrote:
> On 6/2/23 20:39, Owen DeLong wrote:
> > After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.
> Yeah, but the whole point of banning is that the banned address is
> actually used by an attacker subsequently,

You both have valuable points here. Listen to each other.

On the one hand, sophisticated attackers already scatter attacks
between source addresses to evade protection software. Attackers who
don't have control over their computer's IP address do not. This is
not new and IPv6 does not really change that picture.

On the other hand, there are so many addresses in a /64 that an
attacker can literally use a fresh one for each and every probe he
sends. Without a process for advancing the /128 ban to a /64 ban (and
releasing it once activity stops), reactive firewalls are likely to
become less and less effective.

Bill Herrin

For hire. https://bill.herrin.us/resume/

More information about the NANOG mailing list