[136969] in North American Network Operators' Group
Re: Failure modes: NAT vs SPI
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Feb 7 11:44:19 2011
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: Your message of "Mon, 07 Feb 2011 11:15:51 EST."
<25213878.5499.1297095351131.JavaMail.root@benjamin.baylink.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 07 Feb 2011 11:43:44 -0500
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1297097023_5285P
Content-Type: text/plain; charset=us-ascii
On Mon, 07 Feb 2011 11:15:51 EST, Jay Ashworth said:
> > From: "Iljitsch van Beijnum" <iljitsch@muada.com>
> > This is of course a very big problem, and one of the reasons why
> > everyone who's tried IPv6 immediately turns it off again: script
> > kiddies are continuously scanning the entire IPv6 address space so
> > this happens to regular IPv6 users all the time.
>
> I'm sure it's clear to you that "no one's doing it now" is not a valid
> response to prophylactic secure network planning...
Iljitsch's claim is that enough script kiddies *are* doing it now that people's
routers crash and they turn off IPv6, not that "people are so scare of it they
panic and turn it off before they see if it's a problem".
For what it's worth, I've never seen an IPv6 scan cause a problem for our
network. Not saying that such a scan *wouldn't* cause a problem, but the fact
we've been doing it for over a decade and not seen a big problem seems to go
counter to "everyone who turns on IPv6 gets hit by it".
--==_Exmh_1297097023_5285P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFNUCE/cC3lWbTT17ARAlu6AJ9TSyiOrMziahpilQl9xhWedOX/MwCg3Gd7
thc/bx8jlUwhVS8tyJEcH0M=
=XD7e
-----END PGP SIGNATURE-----
--==_Exmh_1297097023_5285P--
