[134574] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Tim Chown)
Fri Jan 7 09:23:35 2011
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <3B61690A-3D51-4847-87B5-84D7D1949BF3@delong.com>
Date: Fri, 7 Jan 2011 14:23:22 +0000
To: "Nanog Operators' Group" <nanog@nanog.org>
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 6 Jan 2011, at 18:20, Owen DeLong wrote:
>=20
> On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:
>=20
>>=20
>> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
>>=20
>>> Packing everything densely is an obvious problem with IPv4; we =
learned early on that having a 48-bit (32 address, 16 port) space to =
scan made
>>> port-scanning easy, attractive, productive, and commonplace.
>>=20
>> I don't believe that host-/port-scanning is as serious a problem as =
you seem to think it is, nor do I think that trying to somehow prevent =
host from being host-/port-scanned has any material benefit in terms of =
security posture, that's our fundamental disagreement.
>>=20
> You are mistaken... Host scanning followed by port sweeps is a very =
common threat and still widely practiced in IPv4.
In our IPv6 enterprise we have not seen any 'traditional' port scans =
(across IP space), rather we see port sweeps on IPv6 addresses that we =
expose publicly (DNS servers, web servers, MX servers etc). This is =
discussed a bit in RFC5157.
We have yet to see any of the ND problems discussed in this thread, =
mainly I believe because our perimeter firewall blacks any such sweeps =
before they hit the edge router serving the 'attacked' subnet.
The main operational problem we see is denial of service caused by =
unintentional IPv6 RAs from hosts.
I think this is an interesting thread though and we'll run some tests =
internally to see how the issue might (or might not) affect our network.
Tim=
