nanog mailing list archives
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 25 Jan 2011 22:17:03 -0600
On Tue, Jan 25, 2011 at 8:29 PM, Roland Dobbins <rdobbins () arbor net> wrote:
On Jan 26, 2011, at 8:12 AM, Fernando Gont wrote:Also, the claim that "IPv6 address scanning is impossible" is generally based on the (incorrect) assumption that host addresses are spread (randomly) over the 64-bit IID. -- But they usually aren't.
It also doesn't take into account hinted scanning via routing table lookups, whois lookups, and walking reverse DNS, not to mention making use of ND mechanisms once a single box on a given subnet has been successfully botted.
It's not that discovering IPv6 hosts is impossible -- it is just that there's a very large mathematical obstacle between any brute force attempt, and the hosts attempting to be discovered, that didn't exist with IPv4. It is fair to say in the aggregate that 'scanning is impossible' with IPv6, but host discovery is not impossible. Exhaustive scanning is what is basically impossible. Hinted partial scanning might yield useful number of guessable host addresses to be attempted; that is, if most networks wind up using some guessable IP addresses for possibly vulnerable hosts; then someone/some where will find it worth while to attempt partial scanning of random announced prefixes; attempting to guess network IDs, then attempting to guess lan host IDs. The bots attempting partial scanning will have to have a lot of ideas about what addresses are most likely to be assigned, and some mechanism of making a "tradeoff" to decide when to give up on a certain network and move on to attempt 'partial scanning' against the next prefix. DNS walking and ND mechanism use are something different from scanning. They are also less effective -- would-be intruder has to compromise a host on LAN before ND can be of any use, it doesn't help so much in discovering LAN hosts on other subnets (if say compromised host is in say a very small IPv6 DMZ isolated from potentially vulnerable hosts in separated secure networks); DNS walking is no good against hosts not listed in DNS. There are other methods of discovery as well, but they are not close in scale or 'ease of use' to what brute-force address space scanning could easily accomplish with IPv4. -- -JH
Current thread:
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN, (continued)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Leen Besselink (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Laurent GUERBY (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Valdis . Kletnieks (Jan 30)
- RE: Using IPv6 with prefixes shorter than a /64 on a LAN George Bonser (Jan 30)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Ray Soucy (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Jimmy Hess (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Roland Dobbins (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 25)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Owen DeLong (Jan 26)
- Re: Using IPv6 with prefixes shorter than a /64 on a LAN Fernando Gont (Jan 26)