[6bone] Is minimum allocation /64 now?
John Holmblad
jholmblad@aol.com
Sat, 25 Oct 2003 21:35:49 -0400
--------------060909090901020906050604
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Jordi,
thanks for the reference to the recent IETF doc on the subject. The
intro of that document kind of underpins what I asserted/implied , i.e.
defense in depth is a good thing and that security through obscurity
helps to raise the bar for the wily attacker but does not stand on its
own two legs:
"It must be remembered that the defense of a network must not rely on
the obscurity of the hosts on that network. Such a feature or
property is only one measure in a set of measures that may be
applied."
Regarding the second point, the idea I am trying to get across applies
equally to either IPv4 or IPv6 and is really a generic argument against
too much generosity in the allocation of address space. My working
assumption, perhaps invalid, is that the attacker is interested in
knowing whether or not there is a network behind a particular network
address and that scanning a for /n+m's will take longer than scanning
for /n's where n and m are positive integers thus increasing the attack
"cost" in time and bandwidth consumption for the attacker. A key part of
my assumption is that the edge router servicing the /n or /n+m subnet
will provide some kind of informational response to the attacker on the
first "hit" so that they can make the inference that something is in
fact behind that network address that is worth attacking. Of course,
having found that, they still have to find out what is behind the /n or
/n+m. The information provided may, of course, depend upon the router
and how it is configured. I can and do set my edge router to "deep six"
echo requests but the very fact that this is configurable suggests that
some of the routers of the cybersphere may be set the other way.
--
Best Regards,
John Holmblad
Televerage International
(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388
www page: www.vtext.com/users/jholmblad
primary email address: jholmblad@aol.com
backup email address: jholmblad@verizon.net
text email address: jholmblad@vtext.com
--------------060909090901020906050604
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Jordi,<br>
<br>
thanks for the reference to the recent IETF doc on the subject. The
intro of that document kind of underpins what I asserted/implied , i.e.
defense in depth is a good thing and that security through obscurity
helps to raise the bar for the wily attacker but does not stand on its
own two legs:<br>
<br>
<pre> "It must be remembered that the defense of a network must not rely on
the obscurity of the hosts on that network. <b>Such a feature or
property is only one measure in a set of measures that may be
applied</b>."</pre>
<br>
Regarding the second point, the idea I am trying to get across applies
equally to either IPv4 or IPv6 and is really a generic argument against
too much generosity in the allocation of address space. My working
assumption, perhaps invalid, is that the attacker is interested in
knowing whether or not there is a network behind a particular network
address and that scanning a for /n+m's will take longer than scanning
for /n's where n and m are positive integers thus increasing the attack
"cost" in time and bandwidth consumption for the attacker. A key part
of my assumption is that the edge router servicing the /n or /n+m
subnet will provide some kind of informational response to the attacker
on the first "hit" so that they can make the inference that something
is in fact behind that network address that is worth attacking. Of
course, having found that, they still have to find out what is behind
the /n or /n+m. The information provided may, of course, depend upon
the router and how it is configured. I can and do set my edge router to
"deep six" echo requests but the very fact that this is configurable
suggests that some of the routers of the cybersphere may be set the
other way.<br>
<div class="moz-signature">-- <br>
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 10 (filtered)">
<title>Best Regards,</title>
<!-- /* Font Definitions */ @font-face {font-family:"MS Mincho"; panose-1:2 2 6 9 4 2 5 8 3 4;}@font-face {font-family:"\@MS Mincho"; panose-1:2 2 6 9 4 2 5 8 3 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";}@page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;}div.Section1 {page:Section1;}-->
</style>
<div class="Section1">
<p class="MsoNormal"><b><span >Best
Regards,</span></b></p>
<p class="MsoNormal"><b><span > </span></b></p>
<p class="MsoNormal"><b><span >John
Holmblad</span></b></p>
<p class="MsoNormal"><b><span > </span></b></p>
<p class="MsoNormal"><b><span >Televerage
International</span></b></p>
<p class="MsoNormal"><b><span > </span></b></p>
<p class="MsoNormal"><b><span >(H) </span></b><b><span >703 620 0672</span></b></p>
<p class="MsoNormal"><b><span >(M) </span></b><b><span >703 407 2278</span></b></p>
<p class="MsoNormal"><b><span >(F) </span></b><b><span >703 620 5388</span></b></p>
<p class="MsoNormal"><b><span > </span></b></p>
<p class="MsoNormal"><b><span lang="NL" >www
page: <a class="moz-txt-link-abbreviated" href="http://www.vtext.com/users/jholmblad">www.vtext.com/users/jholmblad</a></span></b></p>
<p class="MsoNormal"><b><span >primary
email address: </span></b><b><span ><a class="moz-txt-link-abbreviated" href="mailto:jholmblad@aol.com">jholmblad@aol.com</a></span></b></p>
<p class="MsoNormal"><b><span >backup
email address: <a class="moz-txt-link-abbreviated" href="mailto:jholmblad@verizon.net">jholmblad@verizon.net</a></span></b></p>
<p class="MsoNormal"><b><span > </span></b></p>
<p class="MsoNormal"><b><span >text email
address: <a class="moz-txt-link-abbreviated" href="mailto:jholmblad@vtext.com">jholmblad@vtext.com</a></span></b></p>
</div>
</div>
</body>
</html>
--------------060909090901020906050604--