nanog mailing list archives
Re: NIST IPv6 document
From: Tim Chown <tjc () ecs soton ac uk>
Date: Fri, 7 Jan 2011 14:23:22 +0000
On 6 Jan 2011, at 18:20, Owen DeLong wrote:
On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:Packing everything densely is an obvious problem with IPv4; we learned early on that having a 48-bit (32 address, 16 port) space to scan made port-scanning easy, attractive, productive, and commonplace.I don't believe that host-/port-scanning is as serious a problem as you seem to think it is, nor do I think that trying to somehow prevent host from being host-/port-scanned has any material benefit in terms of security posture, that's our fundamental disagreement.You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.
In our IPv6 enterprise we have not seen any 'traditional' port scans (across IP space), rather we see port sweeps on IPv6 addresses that we expose publicly (DNS servers, web servers, MX servers etc). This is discussed a bit in RFC5157. We have yet to see any of the ND problems discussed in this thread, mainly I believe because our perimeter firewall blacks any such sweeps before they hit the edge router serving the 'attacked' subnet. The main operational problem we see is denial of service caused by unintentional IPv6 RAs from hosts. I think this is an interesting thread though and we'll run some tests internally to see how the issue might (or might not) affect our network. Tim
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Lamar Owen (Jan 06)
- Re: NIST IPv6 document Jima (Jan 06)
- Re: NIST IPv6 document Jeff Kell (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document John Levine (Jan 05)
- Re: NIST IPv6 document Julien Goodwin (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Message not available
- Re: NIST IPv6 document Tim Chown (Jan 07)
- Re: NIST IPv6 document Dobbins, Roland (Jan 07)
- Re: NIST IPv6 document TJ (Jan 07)
- Re: NIST IPv6 document Owen DeLong (Jan 07)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Kevin Oberman (Jan 05)
- Re: NIST IPv6 document Robert E. Seastrom (Jan 07)
- Re: NIST IPv6 document Mark Smith (Jan 08)
- Re: NIST IPv6 document Owen DeLong (Jan 08)
- Re: NIST IPv6 document Owen DeLong (Jan 06)