When I do IPv6 trainings, I always clearly state that it is, in principle, same secure as IPv4: IPsec is the same. However, you can *always* turn on IPsec with IPv6, which is not always true for IPv4 (NATs, no end-to-end, etc.). Also, port scanning is not "so simple", and while in IPv6 a /24 can be scanned in 5 minutes, a /64 takes 5.3 billion years, and of course, usually you will have a /48. So at the time being, it can be considered a bit more difficult to do a brute force DoS. Of course, attackers will try some other means, that's why I recommend not numbering the hosts manually in a consecutive way. One possible choice is to use autoconfiguration the *first* time you power-on a server, then manually configuring the autoconfigured address and using that one for the AAAA. This way, the possibility of consecutive addresses is very low, but at the same time if the interface get broken, you don't need to update the AAAA. Regards, Jordi
De: David Conrad <drc@virtualized.org> Responder a: <owner-nanog@merit.edu> Fecha: Tue, 29 May 2007 11:28:56 -0700 Para: Donald Stahl <don@calis.blacksun.org> CC: Nanog <nanog@nanog.org> Asunto: Re: IPv6 Advertisements
Should've clarified: this was in the context of IPv4...
To be honest, I'm not sure what the appropriate equivalent would be in IPv6 (/128 or /64? Arguments can be made for both I suppose).
Rgds, -drc
On May 29, 2007, at 9:34 AM, David Conrad wrote:
On May 29, 2007, at 8:23 AM, Donald Stahl wrote:
vixie had a fun discussion about anycast and dns... something about him being sad/sorry about making everyone have to carry a /24 for f-root everywhere. Whether it's a /24 for f-root or a /20 doesn't really make a difference- it's a routing table entry either way- and why waste addresses.
I once suggested that due to the odd nature of the root name server addresses in the DNS protocol (namely, that they must be hardwired into every caching resolver out there and thus, are somewhat difficult to change), the IETF/IAB should designate a bunch of /32s as "root server addresses" as DNS protocol parameters. ISPs could then explicitly permit those /32s.
However, the folks I mentioned this to (some root server operators) felt this would be inappropriate.
Rgds, -drc
********************************************** The IPv6 Portal: http://www.ipv6tf.org Bye 6Bone. Hi, IPv6 ! http://www.ipv6day.org This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.