On Fri, 2009-04-17 at 17:21 +0100, Andrew Court wrote:
> I would have thought if you got an IPv6 address now, it would have
> major security benefits. I am assuming most people on this list have
> servers and things. I would imagine the script kiddies have not
> started scanning ipv6 networks yet, as there are so few systems
> running it yet. That of course will change.
The scanning game will change forever once IPv6 is deployed to the end
user. the RIPE recommended allocation for an end user site is a /48.
this is potentially 65536 separate / 64 subnets
Each /64 breaks down into over 4 billion potential addresses
For the script kiddes this represents a truly vast amount of empty space
that needs to be scanned to even find one host on an end user site.
Unlike IPv4 space where many netblocks are at near 100% occupancy.
NAT is not the same as a firewall and creating IPv6 firewalls is about
as straightforward as creating IPv4 firewalls.
I am sure that IPv6 has vulnerabilities that we are only beginning to
understand and holes that will need fixing but random netblock scanning
for soft targets is very unlikely to be one of them.
If you let someone run a netblock scan against your allocation for years
at a time then they may come up with a few hits but your IDS should have
picked up the scan after the first five years or so ;-)
IPv4 exhaustion is very real, we (as an ISP) are now able to deploy IPv6
to end users that want it but automated provisioning, Cheap CPE devices,
Customer support and potential unintended issues with end user equipment
are all issues that need to be considered.
For ISP's the need to roll out IPv6 is real and imminent, especially for
the smaller players but we also need IPv6 Content (Hosting companies
please dual-home your customers..) and the ability to get an SLA from
IPv6 transit providers (once it gets turned on stuff that people care
about like mail will go via IPv6 so it needs to be solid and reliable
end to end.)
IPv6 is in the main a well thought out protocol. It is a much nicer
solution for both end users and ISP's than 'carrier grade NAT' will
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!