nanog mailing list archives

Re: NIST IPv6 document

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Wed, 5 Jan 2011 09:39:32 +0000


On Jan 5, 2011, at 1:15 PM, Jeff Wheeler wrote:

I notice that this document, in its nearly 200 pages, makes only casual mention of ARP/NDP table overflow attacks, 
which may be among
the first real DoS challenges production IPv6 networks, and equipmentvendors, have to resolve.


They also only make small mention of DNS- and broadcast-hinted scanning, and none at all of routing-hinted scanning.

It has been pointed out to me that I should have been more vocal when IPv6 was still called IPng, but in 16 years, 
there has been nothing done
about this problem other than water-cooler talk.

Likewise. I never in my wildest dreams thought that such a bag of hurt, with all the problems of IPv4 *plus* its own
inherent problems - in *hex*, no less - would end up being adopted. I was sure that the adults would step in, at some
point, and get things back on a more sensible footing.

Obviously, I'm the biggest idiot on the Internet, and have only my own misplaced faith in the IAB/IETF process to
blame, heh.

The authors of the document also make only small mention of the dangers of extension header-driven DoS for
infrastructure, but at least they mention it, which puts them ahead of most folks in this regard.

They also fail to mention the dangers represented by the consonance of the English letters 'B', 'C', 'D', and 'E'. My
guess it that billions of USD in outages, misconfigurations, and avoidable security incidents will result from verbal
miscommunication of these letters, yet another reason why adopting a hexadecimal numbering scheme was foolish in the
extreme. Ah, well, no use crying over spilt milk.

The document itself is a good tutorial on IPv6, and it's great that the authors did indeed touch upon these security
concerns, but the security aspect as a whole is seemingly deliberately understated, which does a disservice to the lay
reader. One can only imagine that there were non-technical considerations which came into play.

------------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

-- Alan Kay

Current thread:

Re: NIST IPv6 document, (continued)
- - - Re: NIST IPv6 document TJ (Jan 07)
    - Re: NIST IPv6 document Owen DeLong (Jan 07)
    - Re: NIST IPv6 document Jeff Wheeler (Jan 05)
    - Re: NIST IPv6 document Joe Greco (Jan 05)
    - Re: NIST IPv6 document Kevin Oberman (Jan 05)
    - Re: NIST IPv6 document Robert E. Seastrom (Jan 07)
    - Re: NIST IPv6 document Mark Smith (Jan 08)
    - Re: NIST IPv6 document Owen DeLong (Jan 08)
    - Re: NIST IPv6 document Owen DeLong (Jan 06)
    - Re: NIST IPv6 document sthaug (Jan 05)
  - Re: NIST IPv6 document Dobbins, Roland (Jan 05)
    - Re: NIST IPv6 document Dobbins, Roland (Jan 05)
    - Re: NIST IPv6 document Leen Besselink (Jan 05)
    - Re: NIST IPv6 document Philip Dorr (Jan 05)