Default security functions on an IPv6 CPE
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Sat May 28 02:54:33 CEST 2011
On Fri, 27 May 2011 08:57:29 -0600
"Scott Beuker" <Scott.Beuker at sjrb.ca> wrote:
> > > There are a number of ways to get a host address, here's just a
> > > couple:
> > >
> > > 1) Cracker breaks into a webserver, ...
> > >
> > > 2) Cracker ... extracts initiating host IP from mail header ...
> > >
> >
> > There's an implication here: knowledge of valid IPv6 addresses is
> > going to be valuable to the bad guys. Therefore logs/tables/mail
> > headers/whatever are going to be targets and there's going to be
> > pressure to from the paranoid (which is everyone with an interest in
> > security, of course) to keep as much detail hidden as possible.
>
>
> Privacy addresses are the answer here; software initiating connectivity
> should be doing so from temporary addresses, and other software
> listening for incoming connectivity should only be doing so from the
> public address.
>
> RFC 4941, section 2.4.
>
"Transient Addressing for Related Processes: Improved Firewalling by
Using IPV6 and Multiple Addresses per Host" would be another
possibility -
http://academiccommons.columbia.edu/catalog/ac:126889
> Cheers,
> Scott
More information about the ipv6-ops
mailing list