nanog mailing list archives
Re: Rate of growth on IPv6 not fast enough?
From: Owen DeLong <owen () delong com>
Date: Sun, 25 Apr 2010 06:54:09 -0700
On Apr 24, 2010, at 6:29 PM, Mark Smith wrote:
On Thu, 22 Apr 2010 22:18:56 -0700 Matthew Kaufman <matthew () matthew at> wrote:Owen DeLong wrote:On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4/22/2010 05:34, Simon Perreault wrote:On 2010-04-22 07:18, William Herrin wrote:On the other hand, I could swear I've seen a draft where the PC picks up random unused addresses in the lower 64 for each new outbound connection for anonymity purposes.That's probably RFC 4941. It's available in pretty much all operating systems. I don't think there's any IPR issue to be afraid of. SimonI think this is different. They're talking about using a new IPv6 for each connection. RFC4941 just changes it over time IIRC. IMHO that's still pretty good privacy, at least on par with a NATed IPv4 from the outside perspective, especially if you rotated through temporary IPv6s fairly frequently.4941 specified changing over time as one possibility. It does allow for per flow or any other host based determination of when it needs a new address. OwenBut none of this does what NAT does for a big enterprise, which is to *hide internal topology*. Yes, addressing the privacy concerns that come from using lower-64-bits-derived-from-MAC-address is required, but it is also necessary (for some organizations) to make it impossible to tell that this host is on the same subnet as that other host, as that would expose information like which host you might want to attack in order to get access to the financial or medical records, as well as whether or not the executive floor is where these interesting website hits came from.Are you saying that hiding network topology is going to be your only security measure to protect these systems? Yikes!
I doubt that's what he is saying, but, I do think he over-emphasizes the value of obscurity...
How about (a) having them authenticate people who try to use them (b) have those people use two factor authentication (c) not co-locating them on the same subnet (with a /48 you could give many of your vital hosts their own individaul subnet) i.e. fundamentally, don't use subnets as a security domain boundary (d) not setting reverse DNS names that give away what the hosts are for (e) not providing them with globally routable addresses in the first place
None of these are mutually exclusive with obscurity.
Obscurity is a cheap and easy first level defence in depth measure. However it'll only fool the stupid and mostly uninterested attacker. Any attacker who's determined will easily bypass this obscurity, via malware, key sniffers, guessable passwords, black bag jobs, theats of violence and bribery.
And, to follow that up, any attacker who would be somehow blocked or even impeded by this obscurity today would be just as effectively blocked by the other measures above (if not more so) without such obscurity. Obscurity is of very limited value to security. If there is a significant cost to it (and there is a significant cost to NAT), then, the value proposition is easily lost. Owen
Current thread:
- Re: Rate of growth on IPv6 not fast enough?, (continued)
- Re: Rate of growth on IPv6 not fast enough? Jack Bates (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Matthew Kaufman (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Joel Jaeggli (Apr 24)
- Re: Rate of growth on IPv6 not fast enough? Mark Smith (Apr 24)
- Re: Rate of growth on IPv6 not fast enough? Stefan Bethke (Apr 24)
- Re: Rate of growth on IPv6 not fast enough? Owen DeLong (Apr 25)
- Re: Rate of growth on IPv6 not fast enough? Jim Burwell (Apr 22)
- Re: Rate of growth on IPv6 not fast enough? Clue Store (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Jim Burwell (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Clue Store (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Marshall Eubanks (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? Joe Greco (Apr 23)
- Re: Rate of growth on IPv6 not fast enough? bmanning (Apr 22)
- RE: Rate of growth on IPv6 not fast enough? John Lightfoot (Apr 22)
- RE: Rate of growth on IPv6 not fast enough? Matthew Huff (Apr 22)
- Re: Rate of growth on IPv6 not fast enough? Charles Mills (Apr 22)