nanog mailing list archives
Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
From: William Herrin <bill () herrin us>
Date: Mon, 6 Feb 2023 20:26:48 -0800
On Mon, Feb 6, 2023 at 7:40 PM Fernando Gont <fgont () si6networks com> wrote:
On 7/2/23 00:05, William Herrin wrote:On the one hand, sophisticated attackers already scatter attacks between source addresses to evade protection software.Whereas in the IPv6 case , you normally have at least a /64 without restriction. You might have a /56 or /48 thanks to your ISP, or simply a /48 thanks to some free tunnelbroker provider...
That's not what's actually happening. What's happening is a mix of your computer gets one address unless you bother to enable DHCP/PD, or your CPE gets an IPv6 block and your computer does SLAAC and/or DHCP to assign itself a single IPv6 address. A lot of the probing is coming from hijacked computers, so they have the address they have. Sophisticated attackers can do more with the address blocks they get from their own service providers. But sophisticated attackers could spin up VMs with stolen credit cards, hijack BGP and do all manner of things with IPv4 and IPv6 too.
On the other hand, there are so many addresses in a /64 that an attacker can literally use a fresh one for each and every probe he sends. Without a process for advancing the /128 ban to a /64 ban (and releasing it once activity stops), reactive firewalls are likely to become less and less effective.Not just /128 to /64, but also e.g. /64 to /56 or possibly /48...
Maybe. But I suggest that in the absence of data about how such attacks will evolve, it might be best to start with a version of a defense that's easy to conceptualize and implement. Risk is vulnerability times threat. You already understand the vulnerability. Before expending much in the way of resources, you also have to understand the threat. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
Current thread:
- (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Owen DeLong via NANOG (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) William Herrin (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) William Herrin (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Daniel Marks via NANOG (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Sabri Berisha (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Fernando Gont (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Sabri Berisha (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Owen DeLong via NANOG (Feb 08)
- Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt) Owen DeLong via NANOG (Feb 09)