On Wed, 2012-06-13 at 15:22 -0500, STARNES, CURTIS wrote:
I have a slight problem with stating that "Vast IPv6 address space actually enables IPv6 attacks".
So do I. Compared to IPv4, scanning IPv6 is much, much harder, and that is (I think) the most important thing to know. The analysis was good in that it offered a bit of consideration to the scanning issue, but... "Some estimates peg the length of time for a host-scanning attack on a single IPv6 subnet at 500,000,000 years!" It's not an estimate. It's a approximation based on scanning a /64 subnet at a thousand probes per second. 18 billion billion (addresses in one /64) divided by one thousand, divided by 31536000 (the number of seconds in a year) - works out to about 500,000,000.
.Embed the MAC address; .Employ low-byte addresses; .Embed the IPv4 address; .Use a "wordy" address; .Use a privacy or temporary address; .Rely on a transition or coexistence technology.
Why do you not mention DHCP in this list? You do mention it elsewhere. DHCPv6 will in general supply random addresses. You say that "some" DHCPv6 servers produce sequential addresses - could you please give an example? I use Nominum's DCS, which certainly does NOT do this very foolish thing. Low-byte addresses are generally going to be on high-value devices, which will usually be servers (whose existence is thus public knowledge anyway) or network fabric devices (who will be very solidly protected by firewalls, generally requiring no access from outside at all, or even access from most of the inside network either). Embedded IPv4 addresses are going to be a reducing problem, and in the scenario you mention, as well as in most other scenarios, again mostly on machines that have very strong protections from firewalls and their own packet filters. Wordy addresses will be an issue for some vanishingly small percentage of systems, and generally systems that their owners want people to see (Facebook being a good example). These are generally going to be systems whose existence is public knowledge anyway. All transition technologies are a reducing problem. The primary transition technology - dual stack - has no technology-specific problems in respect of scanning (except perhaps that the scanner, at least in theory, gets two bites at the cherry). I think you are making a minor issue look far bigger than it is. I feel the privacy issues around SLAAC are far more significant in the real world than any threat from scanning. Regards, K. PS: I still like your RFC about stable privacy addresses. PPS: There seems to be a diagram missing in the discussion of embedded MAC addresses, after the word "syntax". -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017 Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687