Re: IPv6 Advertisements

[JORDI PALET MARTINEZ <jordi.palet () consulintel es>]

When I do IPv6 trainings, I always clearly state that it is, in principle,
same secure as IPv4: IPsec is the same.

However, you can *always* turn on IPsec with IPv6, which is not always true
for IPv4 (NATs, no end-to-end, etc.).

Also, port scanning is not "so simple", and while in IPv6 a /24 can be
scanned in 5 minutes, a /64 takes 5.3 billion years, and of course, usually
you will have a /48.

So at the time being, it can be considered a bit more difficult to do a
brute force DoS. Of course, attackers will try some other means, that's why
I recommend not numbering the hosts manually in a consecutive way. One
possible choice is to use autoconfiguration the *first* time you power-on a
server, then manually configuring the autoconfigured address and using that
one for the AAAA. This way, the possibility of consecutive addresses is very
low, but at the same time if the interface get broken, you don't need to
update the AAAA.

Regards,
Jordi




> De: David Conrad <drc () virtualized org>
> Responder a: <owner-nanog () merit edu>
> Fecha: Tue, 29 May 2007 11:28:56 -0700
> Para: Donald Stahl <don () calis blacksun org>
> CC: Nanog <nanog () nanog org>
> Asunto: Re: IPv6 Advertisements
>
>
> Should've clarified: this was in the context of IPv4...
>
> To be honest, I'm not sure what the appropriate equivalent would be
> in IPv6 (/128 or /64?  Arguments can be made for both I suppose).
>
> Rgds,
> -drc
>
> On May 29, 2007, at 9:34 AM, David Conrad wrote:
> > On May 29, 2007, at 8:23 AM, Donald Stahl wrote:
> > > > vixie had a fun discussion about anycast and dns... something
> > > > about him
> > > > being sad/sorry about making everyone have to carry a /24 for f-root
> > > > everywhere.
> > > Whether it's a /24 for f-root or a /20 doesn't really make a
> > > difference- it's a routing table entry either way- and why waste
> > > addresses.
> >
> > I once suggested that due to the odd nature of the root name server
> > addresses in the DNS protocol (namely, that they must be hardwired
> > into every caching resolver out there and thus, are somewhat
> > difficult to change), the IETF/IAB should designate a bunch of /32s
> > as "root server addresses" as DNS protocol parameters.  ISPs could
> > then explicitly permit those /32s.
> >
> > However, the folks I mentioned this to (some root server operators)
> > felt this would be inappropriate.
> >
> > Rgds,
> > -drc




**********************************************
The IPv6 Portal: http://www.ipv6tf.org

Bye 6Bone. Hi, IPv6 !
http://www.ipv6day.org

This electronic message contains information which may be privileged or confidential. The information is intended to be 
for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, 
copying, distribution or use of the contents of this information, including attached files, is prohibited.