RE: Katrina Network Damage Report

[Joel Jaeggli <joelja () darkwing uoregon edu>]

On Mon, 12 Sep 2005, Howard, W. Lee wrote:

> Maybe I missed an intermediate post or two, but is the assertion
> here that IPv6 is more secure because it's impractical to scan such
> a large number of possible host IP addresses?  Sort of like zebra
> camouflage--it's easy to see the herd, but hard to see a single
> zebra.

I didn't assert that it was more secure, rather that scanning as it works 
now, to collect the ip's of exploitable embedded or other devices is 
infeasible.

Miscreants will of course looks for other ways if they can't feasibly 
scan. The IETF is full of resource discovery mechanism work and there's no 
reason to expect that those selfsame mechanisms wouldn't be subverted to 
other ends. There's no point in conneccting a device to the internet if 
you can't find it or manange it.

As my firewall logs would testify though, host discovery throught probing 
is one of the low hanging fruit.

> There may be other ways to find a host address than random botting.
> Phishing, perhaps.
>
> I suppose the relative security question becomes, "Which is more
> secure: address translation or sparseness?"  I've heard people say
> that NAT provides no security, but dynamic assignment (from the
> Internet's point of view) of an address for only the duration of
> a session means you can't target a specific host, and have to have
> some access already to hijack a session.
>
> I'm not saying NAT is sufficient security, but it can be part of
> a good plan.  Obscurity isn't sufficient security, but I'm not
> publishing my network map.
>
> Lee

--
--------------------------------------------------------------------------
Joel Jaeggli           Unix Consulting         joelja () darkwing uoregon edu
GPG Key Fingerprint:     5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2