John Spence wrote:
Hi Bob - thanks for the quick reply. Three things:1) If I have autoconfiguration enabled, and I autoconfigure a global-scope address from an RA where the valid lifetime is greater than zero (the usual case certainly), I would normally respond to connections from other nodes at that address. I guess I could use a platform firewall to suppress that.
Depending on your trust in the network you either firewall on the borders (easiest) or you deploy some per-host firewall that can be reconfigured from a central point (eg Active Directory style or custom scripted)
2) As for the value, I like it when implementers have choices. I hear people talk about the difficulty of scanning a 128-bit addressing space, but it is not hard, if autoconfiguration is in use and the attacker knows a little about an organization, to get that down to more like a 10 OUIs x 2^24 problem. You are right - still significant - but not insurmountable.
RFC3041 and also read the NAP draft for a lot of other solutions to these silly questions.
3) I got on off-list suggestion that maybe CGA is a potential solution for this, which is a good thought too.
Which is a patent bait waiting to happen according to many discussions.RFC3041 is all you need and is already implemented. You might want to add the per-host firewall if you really require that though.
Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
