Re: IPv6 and DHCP and ICMP

["Manjak, Martin" <mmanjak () ALBANY EDU>]

I want to focus on one point the Randy made at the end of his post (below), i.e., scanning.  In the v4 world, best 
practices emerged that limited or completely eliminated ICMP from the public network.

Since Randy is encouraging re-calibration, we're wondering if these types of filters on the public side of the router 
are still recommended, worthwhile, or even feasible given the role ICMP plays in v6 assignments.

Marty Manjak
ISO
University at Albany

The University at Albany will never ask you to reveal your password. Please ignore all such requests.
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy 
marchany
Sent: Wednesday, May 23, 2012 2:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IPv6 and DHCP

I would encourage everyone to listen to Phil's talk. My point is that the v6 address space will force a change in the 
way we approach security. No more sequential scanning of a subnet (takes too long) but definitely more cluster based 
scanning (found a v6 address, scan +-1 address on either side to find clusters of similar services perhaps?). Our 
Moving Target Defense work (google MT6D) and prototypes show dynamic address switching in v6 works. We're trying to 
figure out the implications of this with respect to IDS/IPS and firewalls.

In other words, we (the US) will have to move to v6 eventually since the rest of the world is (particularly the Asian 
countries), so start investigating how to implement it.

-Randy