On 6 Jan 2011, at 18:20, Owen DeLong wrote: > > On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote: > >> >> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote: >> >>> Packing everything densely is an obvious problem with IPv4; we learned >>> early on that having a 48-bit (32 address, 16 port) space to scan made >>> port-scanning easy, attractive, productive, and commonplace. >> >> I don't believe that host-/port-scanning is as serious a problem as you seem >> to think it is, nor do I think that trying to somehow prevent host from >> being host-/port-scanned has any material benefit in terms of security >> posture, that's our fundamental disagreement. >> > You are mistaken... Host scanning followed by port sweeps is a very common > threat and still widely practiced in IPv4.
In our IPv6 enterprise we have not seen any 'traditional' port scans (across IP space), rather we see port sweeps on IPv6 addresses that we expose publicly (DNS servers, web servers, MX servers etc). This is discussed a bit in RFC5157. We have yet to see any of the ND problems discussed in this thread, mainly I believe because our perimeter firewall blacks any such sweeps before they hit the edge router serving the 'attacked' subnet. The main operational problem we see is denial of service caused by unintentional IPv6 RAs from hosts. I think this is an interesting thread though and we'll run some tests internally to see how the issue might (or might not) affect our network. Tim
