Re: Article: IPv6 host scanning attacks

[Fernando Gont <fernando () gont com ar>]

On 06/13/2012 05:22 PM, STARNES, CURTIS wrote:
> Going from an IPv4 32 bit address space to a IPv6 128 bit address
> space like you mentioned in the article would be a tedious effort to
> scan.

(tedious != infeasible) && (tedious < 500000000 years)

-- that's the point the article is trying to make.



> That sounds fine and dandy but in reality, Internet facing IPv6
> native or dual-stack systems that are installed with any security
> forethought at all would not embed any of these options with the
> exception of the last one (transitional or coexistence) only if
> forced to do so.

Well, as far as I've measured, they do.



> I agree that some IPv6 addresses are set up to have catchy names, but
> why set up hundreds or even thousands of IPv6 addresses with IPv6
> addresses that you try to remember like we did with IPv4?

Because that's what you're used to? -- and no, I'm not arguing in favor
of that, but rather accepting human's resistance to change.



> In general, I just don't agree with your conclusions, and with proper
> IPv6 firewall rules, the network should still be as secure as the
> IPv4 systems.  Not more insecure just because they run an IPv6
> stack.

Your making a much broader claim here.

When it comes to scanning attacks, they are likely to be harder than for
the IPv4 case.

However, when it comes to IPv6 security vs. IPv4 security, I'd expect v6
to be worse than v4, not (necessarily/only) for the protocol itself --
please see slide 8 of
<http://www.si6networks.com/presentations/deepsec2011/fgont-deepsec2011-ipv6-security.pdf>

Cheers,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () si6networks com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1