[134530] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Thu Jan 6 18:25:16 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: Nanog Operators' Group <nanog@nanog.org>
Date: Thu, 6 Jan 2011 23:23:53 +0000
In-Reply-To: <201101061429.p06ETB7g096271@aurora.sol.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2011, at 9:29 PM, Joe Greco wrote:
> Sorry, but I see this as not grasping a fundamental security concept.
I see it as avoiding a common security misconception.
> Making a host harder to find (or more specifically to address from remote=
) is a worthwhile goal.
As I've stated repeatedly, I don't think that sparse addressing makes hosts=
harder to find, because hinted scanning will reveal them.
> Things like 4941 take that a lot further, and provide enough bits to make=
both range scanning and scanning via learned addresses less useful techniq=
ues.=20
I believe RFC4941 to be positively evil, that the harm it will do in terms =
of complicating traceback and attribution far outweigh any supposed benefit=
s (which are questionably, anyways, IMHO).
> This is basic security, whether or not you approve of it. You're trying =
to make it harder for bad guys.
My view is that it's basic security theater, which a) makes nothing harder =
for the bad guys, and b) has unpleasant side-effects which have the net eff=
ect of degrading one's overall security posture.
------------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay
