On Jan 4, 2008 6:02 PM, Rick Astley <jnanog@gmail.com> wrote:
I know large mostly unused pools of client IP's make it more difficult to use traditional worm propagation methods in IPv6[1], but if customers move from IPv4 "firewalls" to IPv6 "routers", we still lose an important layer of security.
Seems like an understatement. Ipv6 addressing doesn't merely make them more difficult, they make traditional propagation methods and attack techniques that rely on 'scanning' a network from outside impossible to execute. If every subnet (end site) has a /64, and you can guess 16 of those bits (say most networks set the top 16 bits to zero and generate the rest using a true random number generator, for security's sake), there are so many IPs that random scanning has a probability of finding hosts so small, it is negligible.... It would take 9 years to probe 10% of the addresses of a single end site, assuming you can scan 100,000 ips per second. If the host id is sufficiently random or opaque to the outside world, then this is every bit as good as a well chosen password; it is essentially private, except to nodes on the local subnet (who can monitor and ping multicast addresses). I don't believe a worm can't effectively propagate and spend 10 years trying to find the IP address of the one or two computers at site X before moving to site Z that has 4 computers in a /64 some where... A worm that has to connect to a remote machine would definitely have to discern the IP through some method other than brute force scanning. Such as a clean system contacting an infected system to make a request (i.e. download a webpage) At which time the infected system stores requestor's ip in a database to probe later. On the other hand, an IPv6 host could in theory bind a new IP address for each group of web requests, not attach any listeners to that IP, and make that IP cease to exist after the web requests complete. Since the /64 is so large... this essentially accomplishes what NAT does for IPv4 users... the IP address is private, by virtue of the fact, that the host primary interface address cannot be guessed. Even if it is guessed, firewall rules may block traffic from the probing address long before they get close to randomly hitting a live IP :) -- -J