RE: draft-vandevelde-v6ops-nap-01.txt - "maybe add a bit more on proxy servers ..."

["Christian Huitema" <huitema@windows.microsoft.com>]

> >  ... In IPv6, pinging any multicast address should get you an ICMPv6
> > Echo Response from each host in the multicast group. The pinging
> > All-Routers should get you a list of the routers in a network, and
> > therefore a list of the transit subnets in a network (but not
> > necessarily the edge LANs that have only one router on them).
> > Subnet-router anycast address will certainly find a router in your
> > subnet, and (rather than arping for each of your neighbors as is
> > currently done by viruses), pinging the All-Nodes Multicast Address
> > should get you an echo response from every node on your local LAN.
> > Solicited-Node Multicast also gives you some sweeping capability,
> > albeit only on your local lan.
> >
> 
> It's a bit of a surprise to me that the offlink sourced methods you've
> described would work in IPv6, because I've assumed that as directed
> broadcast style techniques had been deprecated in IPv4, they also
> wouldn't be available in IPv6.

This technique does not work remotely -- the all nodes and all routers
multicast addresses are defined in "link local" scope. The virus will
only learn about directly connected targets, i.e. 1 hop away.

Note that it is in any case very difficult to hide from nodes on the
same subnet. The hypothetical virus can collect a list of targets by
simply subscribing to local multicast groups, and passively waiting for
traffic to come in -- the source address of a multicast describes a
potential target. This works quite well for both IPv4 and IPv6.

The advantage of IPv6 is that it very hard to perform a "remote scan" --
much hard than "for I=1 to 254 ping 123.45.67.$I".

-- Christian Huitema