nanog mailing list archives
Re: NIST IPv6 document
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 6 Jan 2011 04:26:12 +0000
On Jan 6, 2011, at 11:16 AM, George Bonser wrote:
I thought the entire notion of actually getting to a host was orthogonal to the discussion as that wasn't the point. It wasn't about exploitation of anything on the host, the discussion was about the act of scanning a network itself being the problem.
That's a separate sub-thread. Joe was specifically talking about sparse addressing as a way to keep the attackers from finding end-hosts. My view is that a) nothing will keep the attackers from finding the end-hosts, b) they'll scan, anyways, c) they'd do hinted scanning (DNS/whois/routing tables) which will have its own negative second-order effects, and therefore c) the scanning issue in terms of endpoint security is a red herring.
If network devices can be degraded simply by scanning the network, it is going to become *very* commonplace.
They already can be, and it's going to become more commonplace as a DoS attack vector, concur w/you 100%.
But the sets of problems are different for an end user network vs. a service provider network. For a transit link you might disable ND and configure static neighbors which would inoculate that link from such a neighbor table exhaustion attack.
If you're using /64s for your p2p links, the router's still been turned into a sinkhole, though.
For an end network, the problems are different.
Concur again. ------------------------------------------------------------------------ Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Seth Mattinen (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document TJ (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- RE: NIST IPv6 document George Bonser (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- RE: NIST IPv6 document George Bonser (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Matthew Petach (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document David Sparro (Jan 07)