[153823] in North American Network Operators' Group
RE: Article: IPv6 host scanning attacks
daemon@ATHENA.MIT.EDU (STARNES, CURTIS)
Wed Jun 13 16:23:06 2012
From: "STARNES, CURTIS" <Curtis.Starnes@granburyisd.org>
To: "davehart_gmail_exchange_tee@davehart.net"
<davehart_gmail_exchange_tee@davehart.net>, Fernando Gont
<fernando@gont.com.ar>
Date: Wed, 13 Jun 2012 15:22:10 -0500
In-Reply-To: <CAMbSiYD35zwe0AEvijkWApTB9pw5=0z_C6bKibc6nb2VQJYHGA@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It seems I saw that title came through an article somewhere but I have a sl=
ight problem with stating that "Vast IPv6 address space actually enables IP=
v6 attacks".
Going from an IPv4 32 bit address space to a IPv6 128 bit address space lik=
e you mentioned in the article would be a tedious effort to scan.
But you also make the following assumptions:
<Quote>
A number of options are available for selecting the Interface ID (the low-=
order 64 bits of an IPv6 address), including:
.Embed the MAC address;
.Employ low-byte addresses;
.Embed the IPv4 address;
.Use a "wordy" address;
.Use a privacy or temporary address;
.Rely on a transition or coexistence technology.
=20
Unfortunately, each of these options reduces the potential search space, m=
aking IPv6 host-scanning attacks easier and potentially more successful.
<End Quote>
That sounds fine and dandy but in reality, Internet facing IPv6 native or d=
ual-stack systems that are installed with any security forethought at all w=
ould not embed any of these options with the exception of the last one (tra=
nsitional or coexistence) only if forced to do so.
I agree that some IPv6 addresses are set up to have catchy names, but why s=
et up hundreds or even thousands of IPv6 addresses with IPv6 addresses that=
you try to remember like we did with IPv4?
I will also concede that Microsoft has not helped with issuing multiple IPv=
6 addresses using "privacy" settings even if a static IPv6 address is set.
In general, I just don't agree with your conclusions, and with proper IPv6 =
firewall rules, the network should still be as secure as the IPv4 systems. =
Not more insecure just because they run an IPv6 stack.
Curtis
-----Original Message-----
From: Dave Hart [mailto:davehart@gmail.com]=20
Sent: Wednesday, June 13, 2012 12:29 PM
To: Fernando Gont
Cc: NANOG
Subject: Re: Article: IPv6 host scanning attacks
On Wed, Jun 13, 2012 at 6:52 AM, Fernando Gont <fernando@gont.com.ar> wrote=
:
> Folks,
>
> TechTarget has published an article I've authored for them, entitled
> "Analysis: Vast IPv6 address space actually enables IPv6 attacks".
>
> The aforementioned article is available at:
> <http://searchsecurity.techtarget.com/tip/Analysis-Vast-IPv6-address-s
> pace-actually-enables-IPv6-attacks>
"published" and "available" are misleading at best. The article is teased =
with a sentence and a half, truncated by a demand for an email address with=
tiny legalese mentioning a privacy policy and terms of use that undoubtedl=
y would take far longer to read than Gont's valuable content.
> (FWIW, it's a human-readable version =A0of the IETF Internet-Draft I=20
> published a month ago or so about IPv6 host scanning (see:
> <http://tools.ietf.org/html/draft-gont-opsec-ipv6-host-scanning>))
I guess I'll take a look at this to see what you're smoking.
> You can get "news" about this sort of stuff by following @SI6Networks=20
> on Twitter.
"news" in quotes is appropriate given it's really eyeball harvesting for ma=
rketing purposes.
Cheers,
Dave Hart
