RE: Katrina Network Damage Report
On Mon, 12 Sep 2005, Howard, W. Lee wrote:
Maybe I missed an intermediate post or two, but is the assertion here that IPv6 is more secure because it's impractical to scan such a large number of possible host IP addresses? Sort of like zebra camouflage--it's easy to see the herd, but hard to see a single zebra.
I didn't assert that it was more secure, rather that scanning as it works now, to collect the ip's of exploitable embedded or other devices is infeasible. Miscreants will of course looks for other ways if they can't feasibly scan. The IETF is full of resource discovery mechanism work and there's no reason to expect that those selfsame mechanisms wouldn't be subverted to other ends. There's no point in conneccting a device to the internet if you can't find it or manange it. As my firewall logs would testify though, host discovery throught probing is one of the low hanging fruit.
There may be other ways to find a host address than random botting. Phishing, perhaps.
I suppose the relative security question becomes, "Which is more secure: address translation or sparseness?" I've heard people say that NAT provides no security, but dynamic assignment (from the Internet's point of view) of an address for only the duration of a session means you can't target a specific host, and have to have some access already to hijack a session.
I'm not saying NAT is sufficient security, but it can be part of a good plan. Obscurity isn't sufficient security, but I'm not publishing my network map.
Lee
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
participants (1)
-
Joel Jaeggli