Thus spake "Donald Stahl" <[EMAIL PROTECTED]>
I'm not sure I understand what you are saying- if you number
based on hardware addresses then I have no idea what you
mean by "address ranges." The hosts you are trying to
compromise could be anywhere in the subnet- that's the 3500
years I was referr
I would call that not understanding today's security world. "Scanning"
is not the primary mode of looking for vulnerabilities today. There are
several more effective "come here and get infected" and "click on this
attachment and get infected" techniques.
I'm well aware of the modern security pr
> > This assumes a single machine scanning, not a botnet of
> 1000 or even
> > the 1.5m the dutch gov't collected 2 yrs ago.
> > Again, a sane discussion is in order. Scanning isn't AS
> EASY, but it
> > certainly is still feasible,
> With 1.5 million hosts it will only take 3500 years... f
There are "smarter" ways to scan v6 address space than this approach.
My favorite is "First, the attacker may rely on the administrator
conveniently numbering their hosts from [prefix]::1 upward. This
makes scanning trivial."
Most definitely- but not doing that should be considered best practi
On May 29, 2007, at 8:28 PM, Donald Stahl wrote:
Scanning isn't AS EASY, but it certainly is still feasible,
With 1.5 million hosts it will only take 3500 years... for a
_single_ /64!
I'm not sure that's what I would call feasible.
There are "smarter" ways to scan v6 address space than th
This assumes a single machine scanning, not a botnet of 1000 or even the
1.5m the dutch gov't collected 2 yrs ago.
Again, a sane discussion is in order. Scanning isn't AS EASY, but it
certainly is still feasible,
With 1.5 million hosts it will only take 3500 years... for a _single_ /64!
I'm n
[EMAIL PROTECTED] wrote:
> On Tue, May 29, 2007 at 06:14:51PM +0100, Brandon Butterworth wrote:
>> You get one shot at fixed prefix size filters, miss and you'll pay
>> forever. Which is more scarce, /32's or routing table entries.
>
> your first lema is false.
> and RTE are more scar
On Tue, 29 May 2007, JORDI PALET MARTINEZ wrote:
> However, you can *always* turn on IPsec with IPv6, which is not always true
> for IPv4 (NATs, no end-to-end, etc.).
>
security is not JUST ipsec, and ipsec is not actually included in all
current ipv6 stacks :( (merike has some nice slides on
On Tue, May 29, 2007 at 06:14:51PM +0100, Brandon Butterworth wrote:
>
> You get one shot at fixed prefix size filters, miss and you'll pay
> forever. Which is more scarce, /32's or routing table entries.
your first lema is false.
and RTE are more scarce.
>
> brandon
l
On Tue, 29 May 2007, Randy Bush wrote:
>
> > Does anyone have any horror stories about deploying v6?
>
> not horror, just had to back off.
>
> small site. so public servers provide multiple and diverse services.
> if a hostname has a v6 address, then all services must be v6 capable
> because c
e interface get broken, you don't need to
update the .
Regards,
Jordi
> De: David Conrad <[EMAIL PROTECTED]>
> Responder a: <[EMAIL PROTECTED]>
> Fecha: Tue, 29 May 2007 11:28:56 -0700
> Para: Donald Stahl <[EMAIL PROTECTED]>
> CC: Nanog
> Asunto: R
On Tue, 29 May 2007, David Conrad wrote:
Should've clarified: this was in the context of IPv4...
To be honest, I'm not sure what the appropriate equivalent would be in IPv6
(/128 or /64? Arguments can be made for both I suppose).
There have been discussions of this sort made over the years
RIPE may only give out /32's but ARIN gives out /48's so there wouldn't be
any deaggregation in that case.
The RIPE NCC assign /48s from 2001:0678::/29 according to ripe-404:
http://www.ripe.net/ripe/docs/ripe-404.html
Yeah I missed that. This matches ARIN's policy for critical
infrastructur
> > That's not what I said. If /48 are accepted by * then people with
> > a /32 or whatever will deagg to /48.
> Obviously you don't need to accept /48's from anywhere- you can restrict
> it to the PI pool- then /32's don't deaggregate but networks approved by
> ARIN or RIPE or whomever still w
William F. Maton Sotomayor wrote:
>
> On Tue, 29 May 2007, Mohacsi Janos wrote:
>
>>> f-root does this on the IPv6 side: 2001:500::/48
>>>
>>> Whether that's available everywhere on IPv6 networks, is as Bill
>>> pointed-out, another question.
>>
>> Have a look at it:
>> http://www.sixxs.net/tool
Don't give people an excuse to deagg their /32
RIPE may only give out /32's but ARIN gives out /48's so there wouldn't be
any deaggregation in that case.
That's not what I said. If /48 are accepted by * then people with
a /32 or whatever will deagg to /48.
I understand now that you were refer
On Tue, May 29, 2007 at 01:10:17PM -0400, Donald Stahl wrote:
>
> > f-root does this on the IPv6 side: 2001:500::/48
> >
> > Whether that's available everywhere on IPv6 networks, is as Bill
> > pointed-out, another question.
> One of the root servers not being available everywhere seems like a
> Does anyone have any horror stories about deploying v6?
not horror, just had to back off.
small site. so public servers provide multiple and diverse services.
if a hostname has a v6 address, then all services must be v6 capable
because clients do not retry the A record.
and, as someone point
Should've clarified: this was in the context of IPv4...
To be honest, I'm not sure what the appropriate equivalent would be
in IPv6 (/128 or /64? Arguments can be made for both I suppose).
Rgds,
-drc
On May 29, 2007, at 9:34 AM, David Conrad wrote:
On May 29, 2007, at 8:23 AM, Donald Stah
On 29 May 2007, at 6:23pm, Donald Stahl wrote:
[...]
RIPE may only give out /32's but ARIN gives out /48's so there
wouldn't be any deaggregation in that case.
The RIPE NCC assign /48s from 2001:0678::/29 according to ripe-404:
http://www.ripe.net/ripe/docs/ripe-404.html
Regards,
Leo
> >> I understand the problems but I think there are clear cut cases where
> >> /48's make sense- a large scale anycast DNS provider would seem to be a
> >> good candidate for a /48 and I would hope it would get routed. Then again
> >> that might be the only sensible reason...
> >
> > Don't give p
more specific than a /32
through no matter what IP block it comes from.
~Marla
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Donald Stahl
Sent: Tuesday, May 29, 2007 6:26 AM
To: Pekka Savola
Cc: nanog@nanog.org
Subject: Re: IPv6 Advertisements
> Anyth
f-root does this on the IPv6 side: 2001:500::/48
Whether that's available everywhere on IPv6 networks, is as Bill pointed-out,
another question.
One of the root servers not being available everywhere seems like a pretty
lousy idea :)
On another note- are there any folks on the list who hav
On May 29, 2007, at 8:23 AM, Donald Stahl wrote:
vixie had a fun discussion about anycast and dns... something
about him
being sad/sorry about making everyone have to carry a /24 for f-root
everywhere.
Whether it's a /24 for f-root or a /20 doesn't really make a
difference- it's a routing ta
Chris L. Morrow wrote:
[..]
> vixie had a fun discussion about anycast and dns... something about him
> being sad/sorry about making everyone have to carry a /24 for f-root
> everywhere. I think there is a list of 'golden prefixes' or something,
> normally this is where Jeroen Massar jumps in with
On Tue, 29 May 2007, Donald Stahl wrote:
That said- ARIN is handing out /48's- should we be blocking validly
assigned networks?
your network might have to to protect it's valuable routing slots. There
are places in the v4 world where /24's are not carried either. So, as Bill
said just cause y
> I understand the problems but I think there are clear cut cases where
> /48's make sense- a large scale anycast DNS provider would seem to be a
> good candidate for a /48 and I would hope it would get routed. Then again
> that might be the only sensible reason...
Don't give people an excuse
vixie had a fun discussion about anycast and dns... something about him
being sad/sorry about making everyone have to carry a /24 for f-root
everywhere.
Whether it's a /24 for f-root or a /20 doesn't really make a difference-
it's a routing table entry either way- and why waste addresses.
I t
On Tue, 29 May 2007, Donald Stahl wrote:
> >> That said- ARIN is handing out /48's- should we be blocking validly
> >> assigned networks?
> >
> > your network might have to to protect it's valuable routing slots. There
> > are places in the v4 world where /24's are not carried either. So, as Bi
That said- ARIN is handing out /48's- should we be blocking validly
assigned networks?
your network might have to to protect it's valuable routing slots. There
are places in the v4 world where /24's are not carried either. So, as Bill
said just cause you get an allocation doesn't mean you can
On Tue, 29 May 2007, Donald Stahl wrote:
> That said- ARIN is handing out /48's- should we be blocking validly
> assigned networks?
your network might have to to protect it's valuable routing slots. There
are places in the v4 world where /24's are not carried either. So, as Bill
said just cau
Anything more specific than /32 is going to be filtered at some portion of
the ISPs whether for the good or bad. There are some subsets of the v6
address space that have a higher chance of /48 working (for some definition
of 'working') than other parts of the address space, though.
More speci
On Tue, May 29, 2007 at 08:45:38AM +0300, Pekka Savola wrote:
>
> On Mon, 28 May 2007, Donald Stahl wrote:
> >What is the smallest IPv6 advertisement that organizations are going to
> >honour- are we still looking at a minimum of a /48?
>
> Anything more specific than /32 is going to be filtere
On Mon, 28 May 2007, Donald Stahl wrote:
What is the smallest IPv6 advertisement that organizations are going to
honour- are we still looking at a minimum of a /48?
Anything more specific than /32 is going to be filtered at some
portion of the ISPs whether for the good or bad. There are some
34 matches
Mail list logo
