(IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

Wed Feb 8 01:21:40 UTC 2023

Hi, Daniel,

On 7/2/23 21:20, Daniel Marks via NANOG wrote:
> Anecdotal but I've seen hacked AWS accounts with Cloudformation scripts 
> to create and destroy lots of tiny instances to rotate through IPv4 
> addresses.

As with everything, the question is always "what's the level of effort 
that is required".

If an attacker is given the option to:

1) Hack an AWS account, and then script the creation of through-away VMs 
just to be able to change the IP address each time, or,

2) Stay on the same machine, and be able to (even legitimately) use 
2**64 addresses without even the need to hack any terraform scripts

They will probably go for #2. And aside of their choices, #1 requires 
more skills than #2.

> Being able to rotate through IP addresses is not a new thing, 
> I'm sure we all have networks in mind when we think of garbage/malicious 
> traffic just over IPv4 alone.

The difference is in the scale at which this is possible with IPv6, and 
how high (or low) the bar is to do it.

> There are some strange implementations of IPv6 that end up having a lot 
> of dissociated users grouped together in a /64 (i.e. Linode, AT&T 
> Wireless, etc)

Therein probably lies some good advice .. i.e., that to the extent that 
is possible, folks refrain from sharing the same /64 across 
unrelated/disassociated users.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494