[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."

To: Baker Fred <fred@cisco.com>
Subject: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Fri, 18 Mar 2005 18:27:18 +1030
Cc: jspence@native6.com, v6ops@ops.ietf.org
In-reply-to: <a0ce83a2cbd45c30a28fdce32792d56e@cisco.com>
References: <200503170321.j2H3LcwT028094@hestia.native6.com> <20050318175522.2877bd86.ipng@69706e6720323030352d30312d31340a.nosense.org> <a0ce83a2cbd45c30a28fdce32792d56e@cisco.com>

Hi Fred,

On Fri, 18 Mar 2005 02:38:25 -0500
Baker Fred <fred@cisco.com> wrote:

> On Mar 18, 2005, at 2:25 AM, Mark Smith wrote:
> > Tony Hain pointed this out a while back on the IPv6 mailing list. For 
> > example, (and I've explored this a bit more at 
> > http://www.circleid.com/article.php?id=805_0_1_0_C/ ), assuming the 
> > ability to sweep ping 100 IPv6 addresses per second on a /64, and 
> > assuming a hit within the first 50%, it would take 2 924 712 086.77 
> > years to find a single host. Of course, the odds go up with more 
> > hosts, however, the time to sweep ping would still be impractical.
> 
> I don't know why people bring that fact up. It is true, but the fact 
> that it is true means the problem will be solved another way. I'll bet 
> it is done by letter-bombs.

Admittedly I don't exactly know what you're refering to with
"letter-bombs", however, I'll guess you're describing using other
techniques to identify devices, such as emails with URLs, with the web
server then recording source IPv6 addresses. Am I correct ?

If I am correct, I completely agree. I consider hiding devices to be a
useful defence mechanism, however, it certainly shouldn't be the only
one. Unfortunately, a lot of pro-NAT people, including those who think
NAT should be implemented in IPv6 because of that property, seem to
consider it the best thing since sliced bread, and talk about it like it
is the "only" security mechanism that is needed. Social engineering via
emails with enclosed URLs, or malware attached to software, are far more
bigger and common threats today, and of course, IPv4 + NAT or IPv6 by
itself won't (and I'm pretty sure will never) be effective against
either of them, or any other attacks that socially engineer the user.

I only bring it up to show that using NAT-style or middleware topology
hiding techniques probably isn't necessary in IPv6, due to the huge
effort involved in sweep pinging a /64. Blocking incoming pings, or
outgoing ICMP unreachables/echo-replies etc. will be effective enough
for those who want further protection than what the huge address space
of IPv6 inherently provides.

Regards,
Mark.

-- 

    The Internet's nature is peer to peer.

Follow-Ups:
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Baker Fred <fred@cisco.com>

References:
- draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Baker Fred <fred@cisco.com>

Prev by Date: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Next by Date: Re: Take NAP as WG document?
Previous by thread: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Next by thread: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Index(es):
- Date
- Thread