[134419] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Jan 5 22:53:39 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: Nanog Operators' Group <nanog@nanog.org>
Date: Thu, 6 Jan 2011 03:52:09 +0000
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE0BC1321C@RWC-EX1.corp.seven.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2011, at 10:42 AM, George Bonser wrote:
> It will be a problem if people learn they can DoS routers by doing it by =
maxing out the neighbor table.
I understand this - that's a completely separate issue from the supposed be=
nefits of sparse addressing for endpoint host security.
> I don't think you are understanding the problem. =20
I've understood the problem for years, thanks, and have commented on it in =
other portions of this thread, as well as in may earlier threads around thi=
s general set of issues - and it's completely orthogonal to this particular=
discussion.
Or are you saying that you think that the miscreants will simply and contri=
tely abandon host-/port-scanning as a) a host-discovery mechanism and b) as=
a DoS mechanism if everyone magically adopts sparse addressing?
Somehow, I don't think that's very likely.
;>
Also, see my previous comments in re the negative implications of hinted sc=
anning.
> It has nothing to do with "security by obscurity".
You may wish to re-read what Joe was saying - he was positing sparse addres=
sing as a positive good because it will supposedly make it more difficult f=
or attackers to locate endpoints in the first place, i.e., security through=
obscurity. I think that's an invalid argument.
------------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay
