nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIST IPv6 document

From: Tim Chown <tjc () ecs soton ac uk>
Date: Fri, 7 Jan 2011 14:23:22 +0000

On 6 Jan 2011, at 18:20, Owen DeLong wrote:



On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:



On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:


Packing everything densely is an obvious problem with IPv4; we learned early on that having a 48-bit (32 address, 
16 port) space to scan made
port-scanning easy, attractive, productive, and commonplace.


I don't believe that host-/port-scanning is as serious a problem as you seem to think it is, nor do I think that 
trying to somehow prevent host from being host-/port-scanned has any material benefit in terms of security posture, 
that's our fundamental disagreement.


You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.


In our IPv6 enterprise we have not seen any 'traditional' port scans (across IP space), rather we see port sweeps on 
IPv6 addresses that we expose publicly (DNS servers, web servers, MX servers etc).   This is discussed a bit in RFC5157.

We have yet to see any of the ND problems discussed in this thread, mainly I believe because our perimeter firewall 
blacks any such sweeps before they hit the edge router serving the 'attacked' subnet.

The main operational problem we see is denial of service caused by unintentional IPv6 RAs from hosts.

I think this is an interesting thread though and we'll run some tests internally to see how the issue might (or might 
not) affect our network.

Tim
Previous By Date Next
Previous By Thread Next

Current thread: