[134546] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jan 6 21:13:09 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <FEB94A20-4A27-4FF4-8003-96C77AE94D8A@arbor.net>
Date: Thu, 6 Jan 2011 18:10:33 -0800
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: Nanog Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2011, at 3:32 PM, Dobbins, Roland wrote:
>=20
> On Jan 7, 2011, at 1:20 AM, Owen DeLong wrote:
>=20
>> You are mistaken... Host scanning followed by port sweeps is a very =
common threat and still widely practiced in IPv4.
>=20
> I know it's common and widely-practiced. My point is that if the host =
is security properly, this doesn't matter; and that if it isn't secured =
properly, it's going to be found via hinted scanning and exploited, =
anyways.
>=20
True, but, that doesn't really matter. Sparse addressing still provides =
other useful benefits.
>> And there are ways to mitigate ND attacks as well.
>=20
> As has been pointed out elsewhere in this thread, not to the degree of =
control and certainty needed in production environments.
>=20
We can agree to disagree here until I see a production environment get =
taken down by a scan.
So far, we've not had a problem with any of the IPv6 scans through our =
network. All have given up in <8 hours without
having caused any sort of ND table overflow issues.
>> Sparse addressing is a win for much more than just rendering scanning =
useless, but, making scanning useless is still a win.
>=20
>=20
> Since it doesn't make scanning useless (again, hinted scanning), that =
'win' is gone. How else is it supposedly a win?
>=20
Not having to worry about room to grow without renumbering is a good =
thing.
I've posted other advantages in an earlier message.
It does make sequential scanning useless and it does make even hinted =
scanning a bit more difficult or
less effective.
Think of the difference between playing battleship as it is =
traditionally played on a simple X, Y grid
vs. playing it on a playing field where the ships have 180 different =
possible orientations (1 per degree
instead of 0=C2=BA and 90=C2=BA only)
Once you get a hit, you need a maximum of 4 additional attempts to =
identify the orientation of the
ship and 50%+ of the time you can get it in =E2=89=A42 additional =
attempts. With a 360=C2=BA board, this becomes
quite a bit more difficult.
Sparse addressing does this even against hinted scanning.
Owen
