> The one upside is that nmap'ing a /64 (if it even worked) is kind of a > self-inflicted DOS attack. It might not complete in your lifetime! ;-)
Yes, this is actually a very interesting, major shift in how low-level network attacks will be performed in IPv6. Attackers will be forced to guess common addresses or use the DNS to find hosts. I wrote a thesis paper on the topic. It'll be interesting to see how it plays out. > Once your private IPv6 address is exposed though, you are fully > reachable *AND* have pretty much given away your macaddress (since it > is embedded in your auto-self-configured address). There are > solutions to the macaddr problem, but takes a little more work. > > There *are* implications. Yes, it is good to be aware of this. For many systems, it's not a big worry if mac addresses are leaked, but in some cases it could tell an attacker a lot about what kind of special purpose appliances might be in your private network. I currently set static addresses on my network, just to keep the numbers similar to what my v4 addresses are, so this isn't a problem for me. However manually set, internal static addresses will likely become increasingly less popular and hard to manage in v6, so other solutions would be necessary. Russell, are you familiar with the current easiest way to run 1:1 NAT with autoconfigured addresses? Is this even possible/easy with iptables? Several years ago I caught a netfilter developer on freenode and asked about NAT options and he wasn't very supportive of the idea at all. I think NAT will likely become popular for internal address portability, though NAPT should be shunned. tim _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
