Hi Fernando,
Together with researchers from Akamai, we also stumbled upon this issue
last year. See here for the paper on IPv6 scanning published at ACM IMC
2022 (especially relevant is the second paragraph in the Discussion
section):
https://olivergasser.net/papers/richter2022illuminating.pdf
As you write in the I-D the attribution of IPv6 activity (which includes
scanning) is a major unresolved problem. It is completely unclear to
what level operators should aggregate IPv6 addresses. Aggregating too
little will result in (unwanted) activity remaining undetected,
aggregating too much will result in collateral damage by putting
together different users (be it ISP users, cloud infrastructure users,
VM users, etc.). This could be a real problem when we think about
automated blocking or rate-limiting of IPv6 addresses/prefixes.
Cheers,
Oliver
On 2/5/23 11:44, Fernando Gont wrote:
Hi, All,
Recently, I happened to participate in an IPv6 deployment meeting with
some large content provider, and said meeting included a discussion
about how to mitigate some attacks using block-lists. These folks argued
that they ban offending IPv6 addresses as /128s, following IPv4 practices.
So it seemed to me that some of the implications arising from the
increased IPv6 address space were non-obvious to them. -- that has been
the motivation for the publication of this document.
* TXT:
https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
* HTML:
https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html
Comments welcome!
P.S.: The document is targeted at the IETF opsec wg
(https://www.ietf.org/mailman/listinfo/opsec), but I'll be happy to
discuss it on this mailing-list, off-list, or at the opsec wg
mailing-list...
Thanks!
Regards,
Fernando
-------- Forwarded Message --------
Subject: New Version Notification for
draft-gont-opsec-ipv6-addressing-00.txt
Date: Thu, 02 Feb 2023 19:48:40 -0800
From: [email protected]
To: Fernando Gont <[email protected]>, Guillermo Gont
<[email protected]>
A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt
has been successfully submitted by Fernando Gont and posted to the
IETF repository.
Name: draft-gont-opsec-ipv6-addressing
Revision: 00
Title: Implications of IPv6 Addressing on Security Operations
Document date: 2023-02-02
Group: Individual Submission
Pages: 8
URL:
https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/
Htmlized:
https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing
Abstract:
The increased address availability provided by IPv6 has concrete
implications on security operations. This document discusses such
implications, and sheds some light on how existing security
operations techniques and procedures might need to be modified
accommodate the increased IPv6 address availability.
The IETF Secretariat
--
Dr. Oliver Gasser
Max Planck Institute for Informatics
Web: https://olivergasser.net
PGP FP: 79A3 FB45 1F03 930C 9B5F 2192 2967 A665 11A8 FADB
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
