On Tue, Jan 25, 2011 at 8:29 PM, Roland Dobbins <rdobbins@arbor.net> wrote:
On Jan 26, 2011, at 8:12 AM, Fernando Gont wrote:
Also, the claim that "IPv6 address scanning is impossible" is generally based on the (incorrect) assumption that host addresses are spread (randomly) over the 64-bit IID. -- But they usually aren't.
It also doesn't take into account hinted scanning via routing table lookups, whois lookups, and walking reverse DNS, not to mention making use of ND mechanisms once a single box on a given subnet has been successfully botted.
It's not that discovering IPv6 hosts is impossible -- it is just that there's a very large mathematical obstacle between any brute force attempt, and the hosts attempting to be discovered, that didn't exist with IPv4. It is fair to say in the aggregate that 'scanning is impossible' with IPv6, but host discovery is not impossible. Exhaustive scanning is what is basically impossible. Hinted partial scanning might yield useful number of guessable host addresses to be attempted; that is, if most networks wind up using some guessable IP addresses for possibly vulnerable hosts; then someone/some where will find it worth while to attempt partial scanning of random announced prefixes; attempting to guess network IDs, then attempting to guess lan host IDs. The bots attempting partial scanning will have to have a lot of ideas about what addresses are most likely to be assigned, and some mechanism of making a "tradeoff" to decide when to give up on a certain network and move on to attempt 'partial scanning' against the next prefix. DNS walking and ND mechanism use are something different from scanning. They are also less effective -- would-be intruder has to compromise a host on LAN before ND can be of any use, it doesn't help so much in discovering LAN hosts on other subnets (if say compromised host is in say a very small IPv6 DMZ isolated from potentially vulnerable hosts in separated secure networks); DNS walking is no good against hosts not listed in DNS. There are other methods of discovery as well, but they are not close in scale or 'ease of use' to what brute-force address space scanning could easily accomplish with IPv4. -- -JH