[134514] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jan 6 13:23:14 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <8469431D-AD95-4B75-9CDC-9C0176ED8CF9@arbor.net>
Date: Thu, 6 Jan 2011 10:20:06 -0800
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: Nanog Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:
>=20
> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
>=20
>> Packing everything densely is an obvious problem with IPv4; we =
learned early on that having a 48-bit (32 address, 16 port) space to =
scan made
>> port-scanning easy, attractive, productive, and commonplace.
>=20
> I don't believe that host-/port-scanning is as serious a problem as =
you seem to think it is, nor do I think that trying to somehow prevent =
host from being host-/port-scanned has any material benefit in terms of =
security posture, that's our fundamental disagreement.
>=20
You are mistaken... Host scanning followed by port sweeps is a very =
common threat and still widely practiced in IPv4.
> If I've done what's necessary to secure my hosts/applications, =
host-/port-scanning isn't going to find anything to exploit =
(overly-aggressive scanning can be a DoS vector, but there are ways to =
ameliorate that, too).
>=20
And there are ways to mitigate ND attacks as well.
> If I haven't done what's necessary to secure my hosts/applications, =
one way or another, they *will* end up being exploited - and the faux =
security-by-obscurity offered by sparse addressing won't matter a bit.
>=20
Sparse addressing is a win for much more than just rendering scanning =
useless, but, making scanning useless is still a win.
Owen
