On Jan 7, 2011, at 6:23 AM, Tim Chown wrote: > > On 6 Jan 2011, at 18:20, Owen DeLong wrote: > >> >> On Jan 5, 2011, at 7:18 PM, Dobbins, Roland wrote: >> >>> >>> On Jan 6, 2011, at 10:08 AM, Joe Greco wrote: >>> >>>> Packing everything densely is an obvious problem with IPv4; we learned >>>> early on that having a 48-bit (32 address, 16 port) space to scan made >>>> port-scanning easy, attractive, productive, and commonplace. >>> >>> I don't believe that host-/port-scanning is as serious a problem as you >>> seem to think it is, nor do I think that trying to somehow prevent host >>> from being host-/port-scanned has any material benefit in terms of security >>> posture, that's our fundamental disagreement. >>> >> You are mistaken... Host scanning followed by port sweeps is a very common >> threat and still widely practiced in IPv4. > > In our IPv6 enterprise we have not seen any 'traditional' port scans (across > IP space), rather we see port sweeps on IPv6 addresses that we expose > publicly (DNS servers, web servers, MX servers etc). This is discussed a > bit in RFC5157. > Good for you. We have seen actual host-scanning. It hasn't been particularly successful (firing blind into a very large ocean hoping to hit a whale rarely is), but, nonetheless, we've seen scans go at it for up to 8 hours before they were terminated by the originator. (Very little of a /64 gets scanned in 8 hours, however).
> We have yet to see any of the ND problems discussed in this thread, mainly I > believe because our perimeter firewall blacks any such sweeps before they hit > the edge router serving the 'attacked' subnet. > Likewise, we haven't seen them. Not even with the active scanning that has been touted as the likely cause thereof. > The main operational problem we see is denial of service caused by > unintentional IPv6 RAs from hosts. > Yep... Push your switch vendors for RA-Guard. This is a very real problem. Right up there with un-intentional 6to4 gateways that don't lead anywhere. Owen
