nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

From: Roland Dobbins <rdobbins () arbor net>
Date: Wed, 26 Jan 2011 11:30:56 +0700

On Jan 26, 2011, at 11:17 AM, Jimmy Hess wrote:


There are other methods of discovery as well,  but they are not close in scale or 'ease of use' to what brute-force 
address space scanning
could easily accomplish with IPv4.


Most botted hosts today are compromised in the first place via layer-7 exploits, not via scanning and network-based 
exploits.

Pushing the miscreants in the direction of hinted scanning will further strain already overloaded whois and DNS servers.

And just because iterative scanning is a crapshoot in IPv6, it costs attackers nothing to do it, anyways, and so they 
will.

So, the fact that IPv6 access networks can contain huge numbers of possible endpoint addresses as compared to IPv4 is 
largely irrelevant; and in fact will have negative consequences with regards to the second-order effects of hinted 
scanning.

------------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

                          -- Alan Kay
Previous By Date Next
Previous By Thread Next

Current thread: