On 20 Apr 2012, at 07:50, Fernando Gont wrote: > Hi, Bob, > > On 04/18/2012 05:55 PM, Bob Hinden wrote: >> >> >> This is an area I would like to know more about, and it would be good >> to quantify the problem. > > I've just posted this drafty I-D, which hopefully shed some light on the > subject (or triggers further discussion): > <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
Don't forget RFC5157, which talks about other ways addresses can be gleaned, and thus attackers could scan around those addresses. i.e. that brute force sweeps across an entire subnet aren't feasible, but an attacker will do whatever they can to narrow the search space. That text reinforces the need for randomised host addresses, and, for example, DHCPv6 servers not to allocate addresses in a predictable way. The stable privacy address draft adds pretty much the same feature for SLAAC. The ND cache exhaustion issue is also linked in to the scanning topic. Tim -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
