nanog mailing list archives
Re: NIST IPv6 document
From: Owen DeLong <owen () delong com>
Date: Fri, 7 Jan 2011 11:44:16 -0800
On Jan 7, 2011, at 6:23 AM, Tim Chown wrote:
On 6 Jan 2011, at 18:20, Owen DeLong wrote:On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:Packing everything densely is an obvious problem with IPv4; we learned early on that having a 48-bit (32 address, 16 port) space to scan made port-scanning easy, attractive, productive, and commonplace.I don't believe that host-/port-scanning is as serious a problem as you seem to think it is, nor do I think that trying to somehow prevent host from being host-/port-scanned has any material benefit in terms of security posture, that's our fundamental disagreement.You are mistaken... Host scanning followed by port sweeps is a very common threat and still widely practiced in IPv4.In our IPv6 enterprise we have not seen any 'traditional' port scans (across IP space), rather we see port sweeps on IPv6 addresses that we expose publicly (DNS servers, web servers, MX servers etc). This is discussed a bit in RFC5157.
Good for you. We have seen actual host-scanning. It hasn't been particularly successful (firing blind into a very large ocean hoping to hit a whale rarely is), but, nonetheless, we've seen scans go at it for up to 8 hours before they were terminated by the originator. (Very little of a /64 gets scanned in 8 hours, however).
We have yet to see any of the ND problems discussed in this thread, mainly I believe because our perimeter firewall blacks any such sweeps before they hit the edge router serving the 'attacked' subnet.
Likewise, we haven't seen them. Not even with the active scanning that has been touted as the likely cause thereof.
The main operational problem we see is denial of service caused by unintentional IPv6 RAs from hosts.
Yep... Push your switch vendors for RA-Guard. This is a very real problem. Right up there with un-intentional 6to4 gateways that don't lead anywhere. Owen
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Jeff Kell (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document John Levine (Jan 05)
- Re: NIST IPv6 document Julien Goodwin (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Message not available
- Re: NIST IPv6 document Tim Chown (Jan 07)
- Re: NIST IPv6 document Dobbins, Roland (Jan 07)
- Re: NIST IPv6 document TJ (Jan 07)
- Re: NIST IPv6 document Owen DeLong (Jan 07)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Kevin Oberman (Jan 05)
- Re: NIST IPv6 document Robert E. Seastrom (Jan 07)
- Re: NIST IPv6 document Mark Smith (Jan 08)
- Re: NIST IPv6 document Owen DeLong (Jan 08)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document sthaug (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)