Default security functions on an IPv6 CPE
Sam Wilson
Sam.Wilson at ed.ac.uk
Wed May 18 12:57:35 CEST 2011
On 13 May 2011, at 14:46, Ted Mittelstaedt wrote:
> On 5/12/2011 11:11 PM, Mark Smith wrote:
>
>
>> RFC5157 - IPv6 Implications for Network Scanning
>>
>> ?
>>
>> " A typical IPv6 subnet will have 64 bits reserved for host
>> addressing.
>> In such a case, a remote attacker in principle needs to probe
>> 2^64
>> addresses to determine if a particular open service is running
>> on a
>> host in that subnet. At a very conservative one probe per
>> second,
>> such a scan may take some 5 billion years to complete. A more
>> rapid
>> probe will still be limited to (effectively) infinite time for
>> the
>> whole address space."
>>
>> Still think address scanning is going to be a useful technique
>> under IPv6?
>>
>>
>
> There are a number of ways to get a host address, here's just a
> couple:
>
> 1) Cracker breaks into a webserver, ...
>
> 2) Cracker ... extracts initiating host IP from mail header ...
>
There's an implication here: knowledge of valid IPv6 addresses is
going to be valuable to the bad guys. Therefore logs/tables/mail
headers/whatever are going to be targets and there's going to be
pressure to from the paranoid (which is everyone with an interest in
security, of course) to keep as much detail hidden as possible. The
implication is that systems are going to be much less traceable and
identifiable than with IPv4, which affects the good guys and bad guys
both.
Sam
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the ipv6-ops
mailing list