[134573] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Tim Chown)
Fri Jan 7 09:17:51 2011
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <4D25F92A.3070402@brightok.net>
Date: Fri, 7 Jan 2011 14:17:41 +0000
To: "Nanog Operators' Group" <nanog@nanog.org>
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 6 Jan 2011, at 17:17, Jack Bates wrote:
>=20
> A randomly setup ssh server without DNS will find itself brute force =
attacked. Darknets are setup specifically for detection of scans. One =
side effect of v6, is determining how best to deploy darknets, as we =
can't just take one or two blocks to do it anymore. We'll need to =
interweave the darknets with the production blocks. I wish it was =
possible via DHCPv6-PD to assign a block minus a sub-block (hey, don't =
use this /64 in the /48 I gave you). It could be that darknets will have =
to go and flow analysis is all we'll be left with.
As RFC6018 suggests, this could be done dynamically on any given active =
subnet.
Tim=
