Re: Off topic: Any one know of a good IPV6 reference book?

[Paul Robertson <proberts () patriot net>]

On Wed, 30 Jul 2003, Crispin Cowan wrote:

> > > That would solve a lot of issues for secure networks.
> > >    
> > I really believe that IP crypto does not actually solve any
> > significant security problem in a compelling or useful manner.
> If every single packet had an authentic source IP address, then DDoS 
> problems would be much easier to manage.

Crypto doesn't solve that problem though- the initial packet still needs 
to come from somewhere, and is spoofable.  Ubiquitous outbound 
anti-spoofing rules would be *much* more effective.  For instance, if 
non-ISP images of IOS had to be configured with "Vaid originating network 
addresses," we'd have a darned good start[1].

> Caveat: not to say that IPSec or IPv6 are particularly good or bad ways 
> to get authentic source IP addresses. Just a counterpoint to MJR's claim.

They only help for subsequent packets, not for the initial ones, so floods 
are still possible.  Since v6 doesn't mandate crypto, it's really pretty 
moot.

Also, these days, with the advent of large Botnets, I'm not all that sure 
that not forging the sources makes it all that much more of a bar, and all 
that extra crypto leaves room for new DoS vectors.

Paul
[1] Not to pick on any single vendor, but with their market share, I think 
if we had 75% of their leaf node routers configured thusly, DDoS by 
spoofing would be a done deal, *and* infections would be easier to spot.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards