[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."

To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Subject: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
From: Baker Fred <fred@cisco.com>
Date: Fri, 18 Mar 2005 06:58:31 -0500
Cc: jspence@native6.com, v6ops@ops.ietf.org
In-reply-to: <20050318182718.0743ccc5.ipng@69706e6720323030352d30312d31340a.nosense.org>
References: <200503170321.j2H3LcwT028094@hestia.native6.com> <20050318175522.2877bd86.ipng@69706e6720323030352d30312d31340a.nosense.org> <a0ce83a2cbd45c30a28fdce32792d56e@cisco.com> <20050318182718.0743ccc5.ipng@69706e6720323030352d30312d31340a.nosense.org>

Multicast in various forms. The most useful ones would be the All-Nodes Multicast Address (link-local) and the All-Routers Multicast Address (site-local).

In IPv4, a simple letter-bomb is subnet broadcast. If you know or think that 123.45.67.0/24 is a subnet in a company, pinging 123.45.67.255 might very well get you an ICMP Echo Response from each host on that LAN. In IPv6, pinging any multicast address should get you an ICMPv6 Echo Response from each host in the multicast group. The pinging All-Routers should get you a list of the routers in a network, and therefore a list of the transit subnets in a network (but not necessarily the edge LANs that have only one router on them). Subnet-router anycast address will certainly find a router in your subnet, and (rather than arping for each of your neighbors as is currently done by viruses), pinging the All-Nodes Multicast Address should get you an echo response from every node on your local LAN. Solicited-Node Multicast also gives you some sweeping capability, albeit only on your local lan.

So the counterpart of today's IPv4 virus that sweeps its local LAN is a virus that sends two pings, one to All-Nodes and one to All-Routers. The echo responses give the application information about the network.

On Mar 18, 2005, at 2:57 AM, Mark Smith wrote:

Hi Fred,
On Fri, 18 Mar 2005 02:38:25 -0500
Baker Fred <fred@cisco.com> wrote:
On Mar 18, 2005, at 2:25 AM, Mark Smith wrote:
Tony Hain pointed this out a while back on the IPv6 mailing list. For
example, (and I've explored this a bit more at
http://www.circleid.com/article.php?id=805_0_1_0_C/ ), assuming the
ability to sweep ping 100 IPv6 addresses per second on a /64, and
assuming a hit within the first 50%, it would take 2 924 712 086.77
years to find a single host. Of course, the odds go up with more
hosts, however, the time to sweep ping would still be impractical.
I don't know why people bring that fact up. It is true, but the fact
that it is true means the problem will be solved another way. I'll bet
it is done by letter-bombs.
Admittedly I don't exactly know what you're refering to with
"letter-bombs", however, I'll guess you're describing using other
techniques to identify devices, such as emails with URLs, with the web
server then recording source IPv6 addresses. Am I correct ?
If I am correct, I completely agree. I consider hiding devices to be a useful defence mechanism, however, it certainly shouldn't be the only one. Unfortunately, a lot of pro-NAT people, including those who think NAT should be implemented in IPv6 because of that property, seem to consider it the best thing since sliced bread, and talk about it like it is the "only" security mechanism that is needed. Social engineering via emails with enclosed URLs, or malware attached to software, are far more bigger and common threats today, and of course, IPv4 + NAT or IPv6 by itself won't (and I'm pretty sure will never) be effective against either of them, or any other attacks that socially engineer the user.
I only bring it up to show that using NAT-style or middleware topology
hiding techniques probably isn't necessary in IPv6, due to the huge
effort involved in sweep pinging a /64. Blocking incoming pings, or
outgoing ICMP unreachables/echo-replies etc. will be effective enough
for those who want further protection than what the huge address space
of IPv6 inherently provides.
Regards,
Mark.
--
    The Internet's nature is peer to peer.

Follow-Ups:
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: "John Spence, CCSI, CCNA, CISSP" <jspence@native6.com>
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Baker Fred <fred@cisco.com>
- Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

Prev by Date: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Next by Date: RE: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Previous by thread: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Next by thread: Re: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."
Index(es):
- Date
- Thread