nanog mailing list archives
Re: IPv6 Advertisements
From: JORDI PALET MARTINEZ <jordi.palet () consulintel es>
Date: Tue, 29 May 2007 23:09:40 +0200
When I do IPv6 trainings, I always clearly state that it is, in principle, same secure as IPv4: IPsec is the same. However, you can *always* turn on IPsec with IPv6, which is not always true for IPv4 (NATs, no end-to-end, etc.). Also, port scanning is not "so simple", and while in IPv6 a /24 can be scanned in 5 minutes, a /64 takes 5.3 billion years, and of course, usually you will have a /48. So at the time being, it can be considered a bit more difficult to do a brute force DoS. Of course, attackers will try some other means, that's why I recommend not numbering the hosts manually in a consecutive way. One possible choice is to use autoconfiguration the *first* time you power-on a server, then manually configuring the autoconfigured address and using that one for the AAAA. This way, the possibility of consecutive addresses is very low, but at the same time if the interface get broken, you don't need to update the AAAA. Regards, Jordi
De: David Conrad <drc () virtualized org> Responder a: <owner-nanog () merit edu> Fecha: Tue, 29 May 2007 11:28:56 -0700 Para: Donald Stahl <don () calis blacksun org> CC: Nanog <nanog () nanog org> Asunto: Re: IPv6 Advertisements Should've clarified: this was in the context of IPv4... To be honest, I'm not sure what the appropriate equivalent would be in IPv6 (/128 or /64? Arguments can be made for both I suppose). Rgds, -drc On May 29, 2007, at 9:34 AM, David Conrad wrote:On May 29, 2007, at 8:23 AM, Donald Stahl wrote:vixie had a fun discussion about anycast and dns... something about him being sad/sorry about making everyone have to carry a /24 for f-root everywhere.Whether it's a /24 for f-root or a /20 doesn't really make a difference- it's a routing table entry either way- and why waste addresses.I once suggested that due to the odd nature of the root name server addresses in the DNS protocol (namely, that they must be hardwired into every caching resolver out there and thus, are somewhat difficult to change), the IETF/IAB should designate a bunch of /32s as "root server addresses" as DNS protocol parameters. ISPs could then explicitly permit those /32s. However, the folks I mentioned this to (some root server operators) felt this would be inappropriate. Rgds, -drc
********************************************** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
Current thread:
- Re: IPv6 Advertisements, (continued)
- Re: IPv6 Advertisements Pekka Savola (May 28)
- Re: IPv6 Advertisements bmanning (May 29)
- Re: IPv6 Advertisements Donald Stahl (May 29)
- Re: IPv6 Advertisements Chris L. Morrow (May 29)
- Re: IPv6 Advertisements Donald Stahl (May 29)
- Re: IPv6 Advertisements Chris L. Morrow (May 29)
- Re: IPv6 Advertisements Donald Stahl (May 29)
- Re: IPv6 Advertisements David Conrad (May 29)
- Re: IPv6 Advertisements David Conrad (May 29)
- Re: IPv6 Advertisements William F. Maton Sotomayor (May 29)
- Re: IPv6 Advertisements JORDI PALET MARTINEZ (May 29)
- Re: IPv6 Advertisements Chris L. Morrow (May 29)
- Re: IPv6 Advertisements Donald Stahl (May 29)
- Re: IPv6 Advertisements Dale W. Carder (May 29)
- Re: IPv6 Advertisements Donald Stahl (May 29)
- RE: IPv6 Advertisements Barry Greene (bgreene) (May 30)
- RE: IPv6 Advertisements Donald Stahl (May 30)
- Re: IPv6 Advertisements Stephen Sprunk (May 30)
- Re: IPv6 Advertisements Pekka Savola (May 28)
- Re: IPv6 Advertisements Paul Vixie (May 29)
- Re: IPv6 Advertisements Jeroen Massar (May 29)
- Re: IPv6 Advertisements John Kristoff (May 29)