[134595] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 7 14:48:37 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <EMEW3|3ecec18e2683b9eab656f667c996253an06ENR03tjc|ecs.soton.ac.uk|32F280FE-AC3C-4D5C-B1F0-0738DC4D40DF@ecs.soton.ac.uk>
Date: Fri, 7 Jan 2011 11:44:16 -0800
To: Tim Chown <tjc@ecs.soton.ac.uk>
Cc: Nanog Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 7, 2011, at 6:23 AM, Tim Chown wrote:
>=20
> On 6 Jan 2011, at 18:20, Owen DeLong wrote:
>=20
>>=20
>> On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote:
>>=20
>>>=20
>>> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote:
>>>=20
>>>> Packing everything densely is an obvious problem with IPv4; we =
learned early on that having a 48-bit (32 address, 16 port) space to =
scan made
>>>> port-scanning easy, attractive, productive, and commonplace.
>>>=20
>>> I don't believe that host-/port-scanning is as serious a problem as =
you seem to think it is, nor do I think that trying to somehow prevent =
host from being host-/port-scanned has any material benefit in terms of =
security posture, that's our fundamental disagreement.
>>>=20
>> You are mistaken... Host scanning followed by port sweeps is a very =
common threat and still widely practiced in IPv4.
>=20
> In our IPv6 enterprise we have not seen any 'traditional' port scans =
(across IP space), rather we see port sweeps on IPv6 addresses that we =
expose publicly (DNS servers, web servers, MX servers etc). This is =
discussed a bit in RFC5157.
>=20
Good for you. We have seen actual host-scanning. It hasn't been =
particularly successful (firing blind into a very large ocean hoping to =
hit a whale rarely is), but,
nonetheless, we've seen scans go at it for up to 8 hours before they =
were terminated by the originator. (Very little of a /64 gets scanned in =
8 hours, however).
> We have yet to see any of the ND problems discussed in this thread, =
mainly I believe because our perimeter firewall blacks any such sweeps =
before they hit the edge router serving the 'attacked' subnet.
>=20
Likewise, we haven't seen them. Not even with the active scanning that =
has been touted as the likely cause thereof.
> The main operational problem we see is denial of service caused by =
unintentional IPv6 RAs from hosts.
>=20
Yep... Push your switch vendors for RA-Guard. This is a very real =
problem. Right up there with un-intentional 6to4 gateways that don't
lead anywhere.
Owen
