On 1/5/2011 10:18 PM, Dobbins, Roland wrote:
This whole focus on sparse addressing is just another way to tout security-by-obscurity. We already know that security-by-obscurity is a fundamentally-flawed concept, so it doesn't make sense to try and keep rationalizing it in various domain-specific instantiations.
I agree. It's not the hosts I'm worried about protecting, it's the potential noise directed at the IPv6 space, intentional/irrational scan or otherwise generated traffic. Still, the idea that "nobody will scan a /64" reminds me of the days when 640K ought to be enough for anybody, 56-bit DES ought to be good enough to never be cracked, 10 megabits was astoundingly fast, a T1 was more than enough commodity, and a 300-baud acoustic coupler was a modern marvel. I hesitate to write anything off to impossibility, having witnessed the 8 to 16 to 32 to 64-bit processor progression :) But perhaps it's time for Moore to rest and we can make assumptions about that impossibility. Scanned or not, IPv6 still presents a "very large" route target. Given the transient / spoofed / backscatter / garbage / scan / script kiddie noise that accidentally lands in my IPv4 space, I shudder to think of the noise level of the many-orders-of-magnitude-greater IPv6 space. And the "depth" of infrastructure at which you can decide the traffic is bogus is much greater with IPv6. Most will end up on the target network anyway, no? Jeff