[134350] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jan 5 04:41:20 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: Nanog Operators' Group <nanog@nanog.org>
Date: Wed, 5 Jan 2011 09:39:32 +0000
In-Reply-To: <AANLkTi=ysjwpj9wTdQLoDo2qWLs_pCyg8ybS03+vqO5H@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2011, at 1:15 PM, Jeff Wheeler wrote:
> I notice that this document, in its nearly 200 pages, makes only casual m=
ention of ARP/NDP table overflow attacks, which may be among
> the first real DoS challenges production IPv6 networks, and equipmentvend=
ors, have to resolve.=20
They also only make small mention of DNS- and broadcast-hinted scanning, an=
d none at all of routing-hinted scanning.
> It has been pointed out to me that I should have been more vocal when IPv=
6 was still called IPng, but in 16 years, there has been nothing done
> about this problem other than water-cooler talk.=20
Likewise. I never in my wildest dreams thought that such a bag of hurt, wi=
th all the problems of IPv4 *plus* its own inherent problems - in *hex*, no=
less - would end up being adopted. I was sure that the adults would step=
in, at some point, and get things back on a more sensible footing.=20
Obviously, I'm the biggest idiot on the Internet, and have only my own misp=
laced faith in the IAB/IETF process to blame, heh.
The authors of the document also make only small mention of the dangers of =
extension header-driven DoS for infrastructure, but at least they mention i=
t, which puts them ahead of most folks in this regard.
They also fail to mention the dangers represented by the consonance of the =
English letters 'B', 'C', 'D', and 'E'. My guess it that billions of USD i=
n outages, misconfigurations, and avoidable security incidents will result =
from verbal miscommunication of these letters, yet another reason why adopt=
ing a hexadecimal numbering scheme was foolish in the extreme. Ah, well, n=
o use crying over spilt milk.
The document itself is a good tutorial on IPv6, and it's great that the aut=
hors did indeed touch upon these security concerns, but the security aspect=
as a whole is seemingly deliberately understated, which does a disservice =
to the lay reader. One can only imagine that there were non-technical cons=
iderations which came into play.
------------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay
