Hi, Roland, Thanks so much for your e-mail! Please find my comments inline...
On 08/09/2011 03:32 PM, Dobbins, Roland wrote: > 1. By prepending lots of extension headers to packets, it may be > possible to exhaust router ASIC/TCAM capacity, causing the traffic in > question to be punted to the RP and thus leading to a DoS condition. Agreed. -- Which makes one wonder a bit about the "stremlined header blah blah" that one usually hears :-) (ok, it's "streamlined" in a world in which attackers do not exist :-) ) > 2. The consonance of the English letters 'B', 'C', 'D', & 'E' is > likely to result in untold billions of dollars of opex related to > misconfigurations, outages, improper access policies contributing to > security breaches, etc. Whenever possible, IPv6 > address-/netblock-related information should be transmitted in > written form, not verbally. Hadn't though aboiut this one. Good grief :-) > 3. BGP and IGP mining can also be useful for hinted scanning. Yes, this would be another one to add to the list of "IPv6 addresses leaked by application protocols". > 4. The numerous instantiations of additional state being added to > networks in the form of 6-to-4 gateways, CGNs, et. al. as a result of > IPv4 address exhaustion and IPv6 transition greatly increases the DoS > risk, as well. Agreed. At least in the short and near term, NAT usage will only increase despite of the claims of "return to the e2e internet" (I have commented a bit about this one in (http://searchenterprisewan.techtarget.com/tip/Why-IPv6-wont-rid-the-Internet-of-Network-Address-Translation). -- And it's not just the additional state... it's the increased complexity of the resulting "system" (the Internet). Even for troubleshooting it will become more and more painful. > There's already far too much of this in the > mobile/wireless world, resulting in numerous DoS conditions on those > networks caused by portscans/hostscans/outbound & crossbound DDoS > attacks initiated by botted hosts; now it's going to become even more > common in the wireline world, as well. It has been relieving to read your post, I must admit :-) -- particularly when at least half of the stuff that usually gets published about IPv6 security has to do with how the mandatory-ness of IPsec is going to save us all. :-) Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] web: http://www.si6networks.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
