[6bone] Is minimum allocation /64 now?
Tim Chown
tjc@ecs.soton.ac.uk
Sat, 25 Oct 2003 20:05:12 +0100
On Sat, Oct 25, 2003 at 07:40:27PM +0200, Jørgen Hovland wrote:
> > 2. Re /48 vs /64 for the single network port or home
> >
> > It occurs to me that the more address space that is allocated to a given
> > access point to the Internet, the easier it is for a scanner to find it,
> > for obvious reasons. In that sense, generosity of address space
> > allocation runs against the grain of trying to make the Internet more
> > secure. In fact it would seem desirable to take advantage of the huge
> > 128 bit address space enabled by IPv6 to raise the cost for attackers to
> > find "points of interest" on the Internet.
Actually the more address space allocated, the harder it is to be found in
that address range.
> I don't see NAT purely as a "security through obscurity" product, but I do
> agree.
> However, your second comment seems to me as a solution purely based on a
> security through obscurity model. By hiding the "real" ip addresses in a
> scope of billions you are trying to gain better security. Do you think
> this is better than NAT ?
Not at all, but if it takes an attacker 500 billion years to scan a /64
at one IP per second, I' happier than it taking 4 minutes for an IPv4 /24.
Defense in depth.
If you choose to number your hosts <prefix>::1 and up, that's your choice
of course...
Tim