[6bone] Is minimum allocation /64 now?
JORDI PALET MARTINEZ
JORDI PALET MARTINEZ" <jordi.palet@consulintel.es
Sun, 26 Oct 2003 01:20:35 +0200
This is a multi-part message in MIME format.
------=_NextPart_000_157E_01C39B5F.5B9FBEE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Regarding 1, that's why most of the ISP networks with NAT devices can be =
attacked so easily, because the false security of the NAT boxes, and I =
can give you a lot of examples, even from big ISPs ...
2, on the contrary ... see =
http://www.ietf.org/internet-drafts/draft-chown-v6ops-port-scanning-impli=
cations-00.txt
----- Original Message -----=20
From: John Holmblad=20
To: Jeroen Massar=20
Cc: 'Dan Reeder' ; 'J=F8rgen Hovland' ; 'Pekka Savola' ; 'Gert =
Doering' ; 6bone@ISI.EDU=20
Sent: Saturday, October 25, 2003 7:05 PM
Subject: Re: [6bone] Is minimum allocation /64 now?
All,=20
I'd like to share the following thoughts with the group on this =
discussion on IP V6 address space.
1. Re NAT
Of course, relying on security through obscurity is bad as a stand =
alone practice, but, as a part of a defense in depth strategy that =
includes fire walling it does help. Most SOHO router products include, =
pit of practical necessity, NAT but also a rudimentary firewall and no =
one can argue that having those devices in place has somehow increased =
the collective security of the Internet as we know it today. For an ISP =
to sell pure NAT as a rock solid security product however, would =
represent a negligent sales practice.=20
2. Re /48 vs /64 for the single network port or home
It occurs to me that the more address space that is allocated to a =
given access point to the Internet, the easier it is for a scanner to =
find it, for obvious reasons. In that sense, generosity of address space =
allocation runs against the grain of trying to make the Internet more =
secure. In fact it would seem desirable to take advantage of the huge =
128 bit address space enabled by IPv6 to raise the cost for attackers to =
find "points of interest" on the Internet.
--=20
Best Regards,
John Holmblad
Televerage International
(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388
www page: www.vtext.com/users/jholmblad
primary email address: jholmblad@aol.com
backup email address: jholmblad@verizon.net
text email address: jholmblad@vtext.com
**********************************
Madrid 2003 Global IPv6 Summit
Presentations and videos on line at:
http://www.ipv6-es.com
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.
------=_NextPart_000_157E_01C39B5F.5B9FBEE0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type =
content=3Dtext/html;charset=3DISO-8859-1>
<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY text=3D#000000 bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Regarding 1, that's why most of the ISP =
networks=20
with NAT devices can be attacked so easily, because the false security =
of the=20
NAT boxes, and I can give you a lot of examples, even from big ISPs=20
...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>2, on the contrary ... see <A=20
href=3D"http://www.ietf.org/internet-drafts/draft-chown-v6ops-port-scanni=
ng-implications-00.txt"><FONT=20
face=3D"Times New Roman"=20
size=3D3>http://www.ietf.org/internet-drafts/draft-chown-v6ops-port-scann=
ing-implications-00.txt</FONT></A></FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Djholmblad@aol.com href=3D"mailto:jholmblad@aol.com">John =
Holmblad</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A title=3Djeroen@unfix.org =
href=3D"mailto:jeroen@unfix.org">Jeroen Massar</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A title=3Ddan@reeder.name=20
href=3D"mailto:dan@reeder.name">'Dan Reeder'</A> ; <A =
title=3Djorgen@hovland.cx=20
href=3D"mailto:jorgen@hovland.cx">'J=F8rgen Hovland'</A> ; <A=20
title=3Dpekkas@netcore.fi href=3D"mailto:pekkas@netcore.fi">'Pekka =
Savola'</A> ;=20
<A title=3Dgert@space.net href=3D"mailto:gert@space.net">'Gert =
Doering'</A> ; <A=20
title=3D6bone@ISI.EDU href=3D"mailto:6bone@ISI.EDU">6bone@ISI.EDU</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, October 25, =
2003 7:05=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: [6bone] Is minimum =
allocation /64 now?</DIV>
<DIV><BR></DIV>All, <BR><BR>I'd like to share the following thoughts =
with the=20
group on this discussion on IP V6 address space.<BR><BR>1. Re =
NAT<BR><BR>Of=20
course, relying on security through obscurity is bad as a stand alone=20
practice, but, as a part of a defense in depth strategy that includes =
fire=20
walling it does help. Most SOHO router products include, pit of=20
practical necessity, NAT but also a rudimentary firewall and no one =
can argue=20
that having those devices in place has somehow increased the =
collective=20
security of the Internet as we know it today. For an ISP to sell pure =
NAT as a=20
rock solid security product however, would represent a negligent sales =
practice. <BR><BR>2. Re /48 vs /64 for the single network port or=20
home<BR><BR>It occurs to me that the more address space that is =
allocated to a=20
given access point to the Internet, the easier it is for a scanner to =
find it,=20
for obvious reasons. In that sense, generosity of address space =
allocation=20
runs against the grain of trying to make the Internet more =
secure. In=20
fact it would seem desirable to take advantage of the huge 128 =
bit=20
address space enabled by IPv6 to raise the cost for attackers to find =
"points=20
of interest" on the Internet.<BR>
<DIV class=3Dmoz-signature>-- <BR>
<META content=3D"Microsoft Word 10 (filtered)" =
name=3DGenerator><!--=7F /* Font Definitions */=7F @font-face=7F =
{font-family:"MS Mincho";=7F panose-1:2 2 6 9 4 2 5 8 3 =
4;}=7F@font-face=7F {font-family:"\@MS Mincho";=7F panose-1:2 2 6 9 4 2 =
5 8 3 4;}=7F /* Style Definitions */=7F p.MsoNormal, li.MsoNormal, =
div.MsoNormal=7F {margin:0in;=7F margin-bottom:.0001pt;=7F =
font-size:12.0pt;=7F font-family:"Times New Roman";}=7F@page Section1=7F =
{size:8.5in 11.0in;=7F margin:1.0in 1.25in 1.0in =
1.25in;}=7Fdiv.Section1=7F {page:Section1;}=7F--></STYLE>
<DIV class=3DSection1>
<P class=3DMsoNormal><B><SPAN>Best Regards,</SPAN></B></P>
<P class=3DMsoNormal><B><SPAN></SPAN></B> </P>
<P class=3DMsoNormal><B><SPAN>John Holmblad</SPAN></B></P>
<P class=3DMsoNormal><B><SPAN></SPAN></B> </P>
<P class=3DMsoNormal><B><SPAN>Televerage International</SPAN></B></P>
<P class=3DMsoNormal><B><SPAN></SPAN></B> </P>
<P class=3DMsoNormal><B><SPAN>(H) </SPAN></B><B><SPAN>703 620=20
0672</SPAN></B></P>
<P class=3DMsoNormal><B><SPAN>(M) </SPAN></B><B><SPAN>703 407=20
2278</SPAN></B></P>
<P class=3DMsoNormal><B><SPAN>(F) </SPAN></B><B><SPAN>703 620=20
5388</SPAN></B></P>
<P class=3DMsoNormal><B><SPAN></SPAN></B> </P>
<P class=3DMsoNormal><B><SPAN lang=3DNL>www=20
=
page: &n=
bsp; =20
<A class=3Dmoz-txt-link-abbreviated=20
=
href=3D"http://www.vtext.com/users/jholmblad">www.vtext.com/users/jholmbl=
ad</A></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN>primary email address: =
</SPAN></B><B><SPAN><A=20
class=3Dmoz-txt-link-abbreviated=20
href=3D"mailto:jholmblad@aol.com">jholmblad@aol.com</A></SPAN></B></P>
<P class=3DMsoNormal><B><SPAN>backup email address: <A=20
class=3Dmoz-txt-link-abbreviated=20
=
href=3D"mailto:jholmblad@verizon.net">jholmblad@verizon.net</A></SPAN></B=
></P>
<P class=3DMsoNormal><B><SPAN></SPAN></B> </P>
<P class=3DMsoNormal><B><SPAN>text email=20
address: <A=20
class=3Dmoz-txt-link-abbreviated=20
=
href=3D"mailto:jholmblad@vtext.com">jholmblad@vtext.com</A></SPAN></B></P=
></DIV></DIV></BLOCKQUOTE></BODY></HTML>
<html>
<br>
**********************************<br>
Madrid 2003 Global IPv6 Summit<br>
Presentations and videos on line at:<br>
http://www.ipv6-es.com<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.</html>
------=_NextPart_000_157E_01C39B5F.5B9FBEE0--