nanog mailing list archives

Re: NIST IPv6 document

From: Owen DeLong <owen () delong com>
Date: Thu, 6 Jan 2011 18:10:33 -0800


On Jan 6, 2011, at 3:32 PM, Dobbins, Roland wrote:


On Jan 7, 2011, at 1:20 AM, Owen DeLong wrote:

You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.


I know it's common and widely-practiced.  My point is that if the host is security properly, this doesn't matter; and 
that if it isn't secured properly, it's going to be found via hinted scanning and exploited, anyways.

True, but, that doesn't really matter. Sparse addressing still provides other useful benefits.

And there are ways to mitigate ND attacks as well.


As has been pointed out elsewhere in this thread, not to the degree of control and certainty needed in production 
environments.

We can agree to disagree here until I see a production environment get taken down by a scan.

So far, we've not had a problem with any of the IPv6 scans through our network. All have given up in <8 hours without
having caused any sort of ND table overflow issues.

Sparse addressing is a win for much more than just rendering scanning useless, but, making scanning useless is still 
a win.



Since it doesn't make scanning useless (again, hinted scanning), that 'win' is gone.  How else is it supposedly a win?

Not having to worry about room to grow without renumbering is a good thing.
I've posted other advantages in an earlier message.

It does make sequential scanning useless and it does make even hinted scanning a bit more difficult or
less effective.

Think of the difference between playing battleship as it is traditionally played on a simple X, Y grid
vs. playing it on a playing field where the ships have 180 different possible orientations (1 per degree
instead of 0º and 90º only)

Once you get a hit, you need a maximum of 4 additional attempts to identify the orientation of the
ship and 50%+ of the time you can get it in ≤2 additional attempts. With a 360º board, this becomes
quite a bit more difficult.

Sparse addressing does this even against hinted scanning.

Owen

Current thread:

Re: NIST IPv6 document, (continued)
- - - Re: NIST IPv6 document Mikael Abrahamsson (Jan 06)
    - Re: NIST IPv6 document Jack Bates (Jan 06)
    - Re: NIST IPv6 document Lamar Owen (Jan 06)
    - Re: NIST IPv6 document Jima (Jan 06)
    - Re: NIST IPv6 document Jeff Kell (Jan 05)
    - Re: NIST IPv6 document Dobbins, Roland (Jan 05)
    - Re: NIST IPv6 document John Levine (Jan 05)
    - Re: NIST IPv6 document Julien Goodwin (Jan 06)
    - Re: NIST IPv6 document Owen DeLong (Jan 06)
    - Re: NIST IPv6 document Dobbins, Roland (Jan 06)
    - Re: NIST IPv6 document Owen DeLong (Jan 06)
    - Message not available
    - Re: NIST IPv6 document Tim Chown (Jan 07)
    - Re: NIST IPv6 document Dobbins, Roland (Jan 07)
    - Re: NIST IPv6 document TJ (Jan 07)
    - Re: NIST IPv6 document Owen DeLong (Jan 07)
    - Re: NIST IPv6 document Jeff Wheeler (Jan 05)
    - Re: NIST IPv6 document Joe Greco (Jan 05)
    - Re: NIST IPv6 document Kevin Oberman (Jan 05)
    - Re: NIST IPv6 document Robert E. Seastrom (Jan 07)
    - Re: NIST IPv6 document Mark Smith (Jan 08)
    - Re: NIST IPv6 document Owen DeLong (Jan 08)

(Thread continues...)