It seems I saw that title came through an article somewhere but I have a slight
problem with stating that "Vast IPv6 address space actually enables IPv6
attacks".
Going from an IPv4 32 bit address space to a IPv6 128 bit address space like
you mentioned in the article would be a tedious effort to scan.
But you also make the following assumptions:
<Quote>
A number of options are available for selecting the Interface ID (the
low-order 64 bits of an IPv6 address), including:
.Embed the MAC address;
.Employ low-byte addresses;
.Embed the IPv4 address;
.Use a "wordy" address;
.Use a privacy or temporary address;
.Rely on a transition or coexistence technology.
Unfortunately, each of these options reduces the potential search
space, making IPv6 host-scanning attacks easier and potentially more successful.
<End Quote>
That sounds fine and dandy but in reality, Internet facing IPv6 native or
dual-stack systems that are installed with any security forethought at all
would not embed any of these options with the exception of the last one
(transitional or coexistence) only if forced to do so.
I agree that some IPv6 addresses are set up to have catchy names, but why set
up hundreds or even thousands of IPv6 addresses with IPv6 addresses that you
try to remember like we did with IPv4?
I will also concede that Microsoft has not helped with issuing multiple IPv6
addresses using "privacy" settings even if a static IPv6 address is set.
In general, I just don't agree with your conclusions, and with proper IPv6
firewall rules, the network should still be as secure as the IPv4 systems. Not
more insecure just because they run an IPv6 stack.
Curtis
-----Original Message-----
From: Dave Hart [mailto:[email protected]]
Sent: Wednesday, June 13, 2012 12:29 PM
To: Fernando Gont
Cc: NANOG
Subject: Re: Article: IPv6 host scanning attacks
On Wed, Jun 13, 2012 at 6:52 AM, Fernando Gont <[email protected]> wrote:
> Folks,
>
> TechTarget has published an article I've authored for them, entitled
> "Analysis: Vast IPv6 address space actually enables IPv6 attacks".
>
> The aforementioned article is available at:
> <http://searchsecurity.techtarget.com/tip/Analysis-Vast-IPv6-address-s
> pace-actually-enables-IPv6-attacks>
"published" and "available" are misleading at best. The article is teased with
a sentence and a half, truncated by a demand for an email address with tiny
legalese mentioning a privacy policy and terms of use that undoubtedly would
take far longer to read than Gont's valuable content.
> (FWIW, it's a human-readable version of the IETF Internet-Draft I
> published a month ago or so about IPv6 host scanning (see:
> <http://tools.ietf.org/html/draft-gont-opsec-ipv6-host-scanning>))
I guess I'll take a look at this to see what you're smoking.
> You can get "news" about this sort of stuff by following @SI6Networks
> on Twitter.
"news" in quotes is appropriate given it's really eyeball harvesting for
marketing purposes.
Cheers,
Dave Hart
