Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[Fernando Gont <fgont () si6networks com>]

Hi, Bill,

Thanks for your feedback! In-line....

On 7/2/23 00:05, William Herrin wrote:
> On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont <fgont () si6networks com> wrote:
> > On 6/2/23 20:39, Owen DeLong wrote:
> > > After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.
> >
> > Yeah, but the whole point of banning is that the banned address is
> > actually used by an attacker subsequently,
>
> You both have valuable points here. Listen to each other.
>
> On the one hand, sophisticated attackers already scatter attacks
> between source addresses to evade protection software. Attackers who
> don't have control over their computer's IP address do not. This is
> not new and IPv6 does not really change that picture.

... although the ability to change IP addresses in IPv4 is rather 
limited. -- e.g., if I want do do it at home, I could do a DHCP release 
and try to get a different lease.. but not very practical -- and 
certainly not possible in a e.g. cafe scenario.

Whereas in the IPv6 case , you normally have at least a /64 without 
restriction. You might have a /56 or /48 thanks to your ISP, or simply a 
/48 thanks to some free tunnelbroker provider...


> On the other hand, there are so many addresses in a /64 that an
> attacker can literally use a fresh one for each and every probe he
> sends. Without a process for advancing the /128 ban to a /64 ban (and
> releasing it once activity stops), reactive firewalls are likely to
> become less and less effective.

Not just /128 to /64, but also e.g. /64 to /56 or possibly /48...

Thanks!

Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fgont () si6networks com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494