![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
RE: NIST IPv6 document
From: "George Bonser" <gbonser () seven com>
Date: Wed, 5 Jan 2011 20:16:54 -0800
I've understood the problem for years, thanks, and have commented on
it
in other portions of this thread, as well as in may earlier threads around this general set of issues - and it's completely orthogonal to this particular discussion.
I suppose what confused me was this: " I don't believe that host-/port-scanning is as serious a problem as you seem to think it is, nor do I think that trying to somehow prevent host from being host-/port-scanned has any material benefit in terms of security posture, that's our fundamental disagreement. If I've done what's necessary to secure my hosts/applications, host-/port-scanning isn't going to find anything to exploit (overly-aggressive scanning can be a DoS vector, but there are ways to ameliorate that, too). " I thought the entire notion of actually getting to a host was orthogonal to the discussion as that wasn't the point. It wasn't about exploitation of anything on the host, the discussion was about the act of scanning a network itself being the problem. If network devices can be degraded simply by scanning the network, it is going to become *very* commonplace. But the sets of problems are different for an end user network vs. a service provider network. For a transit link you might disable ND and configure static neighbors which would inoculate that link from such a neighbor table exhaustion attack. For an end network, the problems are different.
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Seth Mattinen (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document TJ (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- RE: NIST IPv6 document George Bonser (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- RE: NIST IPv6 document George Bonser (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Matthew Petach (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)