On 22 Mar 2024 20:01 -0400, from ler...@gmail.com (Lee): > The IPv4 address space is only 32 bits long. Scanning 2^32 = about > 4,000,000,000 addresses for an open port is easily doable. > The IPv6 address space is a bit harder... Let's just say that 7/8th > of the IPv6 address space is reserved[1] so that means 2^125 addresses > would need to be scanned .. which just isn't going to happen. > There are ways for attackers to get the IPv6 address scan space down > to a reasonable number. I probably don't know most of them..
You are correct that the globally assigned unicast IPv6 address range is a /3 out of 128 bits so 2^125 addresses. (2000::/3 out of ::/0.) But only a tiny sliver of that address space is actually assigned to anyone on the global Internet. One can start by looking at the core routing tables and routing announcements that form the Internet backbone. My guess, without having looked, would be that you'd be looking at maybe _at most_ say a /10 (although likely not contiguous) which actually routes anywhere at all in the default-free zone. It might well be significant less than that. If you're already willing to do something like this, I strongly suspect DNS in particular can help narrow the range down further. For example, you could iterate over /32s and see which of those have any reverse DNS set up by looking for corresponding delegations in ip6.arpa. That'll miss some, but should catch the majority of actively used assignments. You can probably eliminate most /64s more or less immediately by trying to reach _any_ address within each, because most /64s likely won't be in use and therefore won't route. Also, while addresses within each /64 look random, there's probably ample opportunity to optimize the search there through for example EUI assignment prefix tables and IPv6 address node portion generation rules. And once someone connects to anywhere directly (that is, not through something like a VPN concentrator which will replace with its own outgoing address), whatever system was connected to at a minimum has a known-good address to check. And all this is just things I can think of right now. I wouldn't be the least surprised if there are many more optimizations that can be made by someone who actually spends some time looking into this. So while scanning the IPv6 address space certainly is a larger undertaking than similarly for IPv4, **scanning the IPv6 address space is far less than 2^93 times harder** than scanning the IPv4 address space as one might think looking only at _possible_ address length. IPv6 addresses look random to the human eye, but especially in the network /64 half of the address, they are far from randomly assigned. Also, IPv6 typically being used with globally routable addresses everywhere (as the Internet was meant to be) means that having good firewalling is a _must_ in the present-day environment. If you do, then having a globally routable IP address assigned to an end node is not much of an issue. -- Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”
