Default security functions on an IPv6 CPE
Scott Beuker
Scott.Beuker at sjrb.ca
Fri May 27 16:57:29 CEST 2011
> > There are a number of ways to get a host address, here's just a
> > couple:
> >
> > 1) Cracker breaks into a webserver, ...
> >
> > 2) Cracker ... extracts initiating host IP from mail header ...
> >
>
> There's an implication here: knowledge of valid IPv6 addresses is
> going to be valuable to the bad guys. Therefore logs/tables/mail
> headers/whatever are going to be targets and there's going to be
> pressure to from the paranoid (which is everyone with an interest in
> security, of course) to keep as much detail hidden as possible.
Privacy addresses are the answer here; software initiating connectivity
should be doing so from temporary addresses, and other software
listening for incoming connectivity should only be doing so from the
public address.
RFC 4941, section 2.4.
Cheers,
Scott
More information about the ipv6-ops
mailing list