[96978] in North American Network Operators' Group
Re: IPv6 Advertisements
daemon@ATHENA.MIT.EDU (Dale W. Carder)
Tue May 29 21:39:20 2007
Date: Tue, 29 May 2007 20:37:51 -0500
From: "Dale W. Carder" <dwcarder@doit.wisc.edu>
In-reply-to: <20070529212544.X15486@calis.blacksun.org>
To: Donald Stahl <don@calis.blacksun.org>
Cc: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>,
JORDI PALET MARTINEZ <jordi.palet@consulintel.es>,
Nanog <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On May 29, 2007, at 8:28 PM, Donald Stahl wrote:
>> Scanning isn't AS EASY, but it certainly is still feasible,
> With 1.5 million hosts it will only take 3500 years... for a
> _single_ /64!
> I'm not sure that's what I would call feasible.
There are "smarter" ways to scan v6 address space than this approach.
My favorite is "First, the attacker may rely on the administrator
conveniently numbering their hosts from [prefix]::1 upward. This
makes scanning trivial."
Take a look at:
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-scanning-
implications-03.txt
and
http://www.cs.columbia.edu/~smb/papers/v6worms.pdf
Dale
