![nanog logo](/images/nanog-logo.png)
nanog mailing list archives
Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
From: Fernando Gont <fgont () si6networks com>
Date: Tue, 7 Feb 2023 00:39:56 -0300
Hi, Bill, Thanks for your feedback! In-line.... On 7/2/23 00:05, William Herrin wrote:
On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont <fgont () si6networks com> wrote:On 6/2/23 20:39, Owen DeLong wrote:After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.Yeah, but the whole point of banning is that the banned address is actually used by an attacker subsequently,You both have valuable points here. Listen to each other. On the one hand, sophisticated attackers already scatter attacks between source addresses to evade protection software. Attackers who don't have control over their computer's IP address do not. This is not new and IPv6 does not really change that picture.
... although the ability to change IP addresses in IPv4 is rather limited. -- e.g., if I want do do it at home, I could do a DHCP release and try to get a different lease.. but not very practical -- and certainly not possible in a e.g. cafe scenario.
Whereas in the IPv6 case , you normally have at least a /64 without restriction. You might have a /56 or /48 thanks to your ISP, or simply a /48 thanks to some free tunnelbroker provider...
On the other hand, there are so many addresses in a /64 that an attacker can literally use a fresh one for each and every probe he sends. Without a process for advancing the /128 ban to a /64 ban (and releasing it once activity stops), reactive firewalls are likely to become less and less effective.
Not just /128 to /64, but also e.g. /64 to /56 or possibly /48... Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont () si6networks com PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
Current thread:
- (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Owen DeLong via NANOG (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) William Herrin (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) William Herrin (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Daniel Marks via NANOG (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Sabri Berisha (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Sabri Berisha (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Owen DeLong via NANOG (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Owen DeLong via NANOG (Feb 09)