nanog mailing list archives
Re: NIST IPv6 document
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Thu, 6 Jan 2011 23:23:53 +0000
On Jan 6, 2011, at 9:29 PM, Joe Greco wrote:
Sorry, but I see this as not grasping a fundamental security concept.
I see it as avoiding a common security misconception.
Making a host harder to find (or more specifically to address from remote) is a worthwhile goal.
As I've stated repeatedly, I don't think that sparse addressing makes hosts harder to find, because hinted scanning will reveal them.
Things like 4941 take that a lot further, and provide enough bits to make both range scanning and scanning via learned addresses less useful techniques.
I believe RFC4941 to be positively evil, that the harm it will do in terms of complicating traceback and attribution far outweigh any supposed benefits (which are questionably, anyways, IMHO).
This is basic security, whether or not you approve of it. You're trying to make it harder for bad guys.
My view is that it's basic security theater, which a) makes nothing harder for the bad guys, and b) has unpleasant side-effects which have the net effect of degrading one's overall security posture. ------------------------------------------------------------------------ Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
Current thread:
- RE: NIST IPv6 document, (continued)
- RE: NIST IPv6 document George Bonser (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Matthew Petach (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document David Sparro (Jan 07)
- Re: NIST IPv6 document Lamar Owen (Jan 10)
- Re: NIST IPv6 document mikea (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Jeff Kell (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 10)
- Re: NIST IPv6 document Jack Bates (Jan 10)
- Re: NIST IPv6 document Owen DeLong (Jan 10)
- Re: NIST IPv6 document Valdis . Kletnieks (Jan 11)
- Re: NIST IPv6 document Jack Bates (Jan 11)