[136971] in North American Network Operators' Group
Re: Failure modes: NAT vs SPI
daemon@ATHENA.MIT.EDU (Jack Bates)
Mon Feb 7 11:53:42 2011
Date: Mon, 07 Feb 2011 10:52:57 -0600
From: Jack Bates <jbates@brightok.net>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <28579.1297097024@localhost>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2/7/2011 10:43 AM, Valdis.Kletnieks@vt.edu wrote:
> For what it's worth, I've never seen an IPv6 scan cause a problem for our
> network. Not saying that such a scan*wouldn't* cause a problem, but the fact
> we've been doing it for over a decade and not seen a big problem seems to go
> counter to "everyone who turns on IPv6 gets hit by it".
I think it becomes a problem only in certain architectures. ie,
providing /64 subnets without SPI can lead to a scan actually able to
create effect ND.
This implies that many networks aren't necessarily effected by it, as
they implement a certain level of security.
I'd also surmise that IPv6 scanning isn't as prevalent today as it will
be at some point. Nachi was an interesting (even if illegal) concept
except for being overly aggressive.
Jack
