nanog mailing list archives
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
From: Mark Smith <nanog () 85d5b20a518b8f6864949bd940457dc124746ddc nosense org>
Date: Wed, 26 Jan 2011 08:57:38 +1030
On Tue, 25 Jan 2011 16:32:59 -0500 "Ricky Beam" <jfbeam () gmail com> wrote:
On Tue, 25 Jan 2011 13:42:29 -0500, Owen DeLong <owen () delong com> wrote:Seriously? Repetitively sweeping a /64? Let's do the math...... We've had this discussion before... If the site is using SLAAC, then that 64bit target is effectively 48bits. And I can make a reasonable guess at 24 of those bits. (esp. if I've seen the address of even one of the machines.)
All you're really pointing out is "security" is a relative term. A lot of these threads devolve in to a waste of time because they're discussing the pros and cons of a single, possible security mechanism without considering it in context ("possible" because if it ends up having no or very little security value it isn't really a "security mechanism" at all). The value of a security mechanism can only be judged in the context of both what threats they mitigate and whether those threats are ones that are common and likely in the context they might be used in. Security is a weakest link problem, so the first thing that needs to be done is to identify the weakest links, before worrying about how to fix them. So what threat are people trying to prevent? Address scanning is only a means to an end - so what is the "end"? Only once that is defined can it be worked out whether address scanning is a likely method attackers will use, and whether then preventing address scanning is an effective mitigation. Regards, Mark.
Current thread:
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN, (continued)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Douglas Otis (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ray Soucy (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Loftis (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Patrick Sumby (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Jack Bates (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ricky Beam (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Randy Carpenter (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Michael Loftis (Jan 24)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Adrian Chadd (Jan 25)
- RE: Using IPv6 with prefixes shorter than a /64 on a LAN George Bonser (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Mark Smith (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Karl Auer (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN eric clark (Jan 31)