[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Address Scanning Document comments



If I may give you a healthy caution...

In industry, we have a saying that one should not "believe one's own hype", or "breathe one's exhaust". John Chambers, Cisco's CEO, once asked Carly Fiorina, then CEO HP, to give a keynote at a Cisco corporate conference for the senior management and technical staff. At the end, he did a little interview with her, and asked her what she saw as the greatest danger there was to his company. The look on her face suggested that she was thinking on her feet - she hadn't been prepped for the question. She nonetheless replied, politely but without hesitation: "don't believe your own hype".

It is managements' job to tell the troops and marketing's to tell the world "we're the greatest, and our products are the greatest". Every company, regardless of where it stands in reality, finds something to say about itself to allow it to say "we're the greatest, and the world is emulating us." And when you're in Cisco's position, it's pretty easy to believe it is true.

Juniper exists because at a certain point Cisco believed its own hype. The industry is better for it - the competition keeps us both at the top of our game, and our customers benefit. But there have been some hard lessons.

IPv6 is a great thing in a number of ways. The marketing story greatly exceeds its wonder, though. Make no mistake, IPv6 has as many vulnerabilities as IPv4. One just attacks them in a different way. If you want to leave IPv6 exposed and vulnerable, tell the world how invulnerable it is, how great a security solution and QoS solution and whatever else it is. It gives us a lot more addresses, and we need them, and having the addresses there are some very interesting things we can do, like the mobility stuff. That doesn't mean that it solves world hunger.

Don't tell me how hard it will be to attack IPv6 using IPv4 techniques, or how IPv6 is more vulnerable if IPv4 is running in the same machine. Tell me how attackers will attack an IPv6 network, and how to defend against them. Make no mistake: they will.

Don't believe your own hype.

On Mar 22, 2006, at 7:10 PM, Tim Chown wrote:

On Wed, Mar 22, 2006 at 04:28:23PM -0800, Roland Dobbins wrote:

On Mar 22, 2006, at 4:04 PM, Fred Baker wrote:

  It is also worth noting that worms that spread by scanning target
  networks for hosts to re-attack have become more common in recent
  times.  Thus a much more sparsely address-populated IPv6
network will
  have a more innate defense to such forms of worm infection,
although
  there may still be significant scanning traffic generated.

I hear this comment, taken from the draft, a lot, and I'm not as
sure that it is true. Finding the hosts on a remote LAN will
require the use of different techniques, but I'm not at all sure
they will be hard to find.

There's already a paper out which demonstrates this supposition to be
incorrect:

http://www.cs.columbia.edu/~smb/papers/v6worms.pdf

Yes, nice paper (which I think was posted here recently, well after the
latest version of the scanning draft).

Within an IPv4 site, a worm can propogate across all subnets, because
the site's address space is probably dense due to the address conservation requirements; in contrast in IPv6 I suspect the resilience is inter- subnet, rather than intra-subnet. Once an attacker is on-link, you're in trouble.

Of course while dual-stack is used, you're subjetc to the limitations of
the 'weaker' of the protocols.

--
Tim/::1