Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[Owen DeLong via NANOG <nanog () nanog org>]

> On Feb 6, 2023, at 18:43, Fernando Gont <fgont () si6networks com> wrote:
>
> Hi, Owen,
>
> On 6/2/23 20:39, Owen DeLong wrote:
> > As long as they have a reasonable expiry process, it could work.
>
> What, specifically? Banning /128s?

Yes.

> > After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.
>
> Yeah, but the whole point of banning is that the banned address is actually used by an attacker subsequently,
>
> In other words, if:
>
> 1. The attacker employs one address for malicious purposes
> 2. You ban that address
> 3. The attacker changes the his/her address and goes back to #1
>
> ... you´d be doing yourself a disservice by adding addresses to the ban-list. You just pay penalties for no actual 
> gain.

Sure, but there are lots of human endeavors where this is par for the course… Consider voting for legislators in the 
US, for example.

No matter what we do, this is always going to boil down to a contest of intellect between the attackers and the 
targets. There’s a limit to the extent to which we can effectively solve stupid on the side of the targets.

> > While that’s nota. Completely effective throttle, as long as your expiry process can keep up and your TTL doesn’t 
> > exceed your ring buffer size, it should be theoretically OK.
>
> Memory is a limited resource. As soon as you consistently use memory iptables-rules slot to store more and more 
> rules/addresses youĺl get no benefit from, the attacker is winning....

No argument here… See above.

I wasn’t advocating the mechanism, just kind of making fun of the theory behind it. Sorry if the sarcasm wasn’t clear.

Owen