Re: Security over IPv6 networks

To: <debian-ipv6@lists.debian.org>
Subject: Re: Security over IPv6 networks
From: Anthony DeRobertis <asd@suespammers.org>
Date: Wed, 12 Mar 2003 15:59:07 -0500
Message-id: <76FAD35B-54CD-11D7-8C28-00039317863E@suespammers.org>
In-reply-to: <745A3632968F53438280A8320C535AD20CCA50@MSGEXS21.tf1.groupetf1.fr>


On Wednesday, March 12, 2003, at 11:12 AM, BEGIN, Thomas wrote:

But in the other hand, isn't it dangerous to address machines withglobal unicast address and thus make them reachable directly fromanywhere and by anybody...

The 'thus' is not warranted. Assigning unique addresses does not meanthey are globally reachable. As a simple counter example, consider whathappens if you unplug your router's upstream connection(s). As a morerealistic one, stateful packet filters (like Linux iptables) can allowonly outgoing connections. Non-stateful ones can even block SYN packetsin one direction, or block certain ports, IPs, etc. You can do thiswith IPv4 today, or with IPv6.

"Globally unique IP address" does not imply "globally reachable" or"not firewalled."

Further, IPv6 gives you some security that IPv4 didn't (besidesmandatory IPSec): A sparse address space. With IPv4, many worms havetaken to attacking random addresses. It's very effective, because itonly takes several probes to find a machine. It's how the SQL wormworks, it's how Nimbda and Code Red (in part) work, etc. On IPv6, thatisn't possible: It's quite reasonable to expect a hit rate of less than1/(2^64) w/ IPv6 --- so scanning random IPs is no longer feasible.

Reply to:

Follow-Ups:
- Re: Security over IPv6 networks
  - From: Joey Hess <joeyh@debian.org>

References:
- Security over IPv6 networks
  - From: "BEGIN, Thomas" <tbegin@tf1.fr>

Prev by Date: Re: Security over IPv6 networks
Next by Date: Re: Security over IPv6 networks
Previous by thread: Re: Security over IPv6 networks
Next by thread: Re: Security over IPv6 networks
Index(es):
- Date
- Thread