Default security functions on an IPv6 CPE

Mark Smith msmith at
Fri May 13 08:11:39 CEST 2011

> Either way you setup the CPE the ISP will get called.
> But, the users who got an open IPv6 firewall and as a result got
> their machine rooted, when their calls come in they will take a lot
> more time and be much more costly.

Have you or Doug read

RFC5157 - IPv6 Implications for Network Scanning


"  A typical IPv6 subnet will have 64 bits reserved for host addressing.
   In such a case, a remote attacker in principle needs to probe 2^64
   addresses to determine if a particular open service is running on a
   host in that subnet.  At a very conservative one probe per second,
   such a scan may take some 5 billion years to complete.  A more rapid
   probe will still be limited to (effectively) infinite time for the
   whole address space."

Still think address scanning is going to be a useful technique under IPv6?

> Ted
>> RD

More information about the ipv6-ops mailing list