On Tue, 29 May 2007, JORDI PALET MARTINEZ wrote:
However, you can *always* turn on IPsec with IPv6, which is not always true for IPv4 (NATs, no end-to-end, etc.).
security is not JUST ipsec, and ipsec is not actually included in all current ipv6 stacks :( (merike has some nice slides on this actually). Security often is related to the applications using the stack, or the stack itself. While I agree that in principle ipv6 with ipsec is nice, I've yet to see it work reliably in the field, and... it's never going to secure your communications with yahoo.com (maybe not 'never' but not for a very long time). So, having a sane discussion about 'security' and ipv6 ends up being: "Hey, you have the same facilities and issues in ipv4, only the stack is newer and slightly less baked, but if you have protections at multiple layers you are on the right track."
Also, port scanning is not "so simple", and while in IPv6 a /24 can be scanned in 5 minutes, a /64 takes 5.3 billion years, and of course, usually you will have a /48.
This assumes a single machine scanning, not a botnet of 1000 or even the 1.5m the dutch gov't collected 2 yrs ago. Again, a sane discussion is in order. Scanning isn't AS EASY, but it certainly is still feasible, especially if you can enumerate the targets with other methods first to cut down on the random other scanning efforts.
So at the time being, it can be considered a bit more difficult to do a brute force DoS. Of course, attackers will try some other means, that's why
what?? I can make packets in v6 just as fast as v4... how is it harder exactly? Given a host connected to gigabit ethernet on a direct native v6 pipe ... packets get made at line-rate... such hosts do exist.