[PLUG] IPv4 address exhaustion - beginning of the end in 8 days

Tim tim-pdxlug at sentinelchicken.org
Fri Jan 28 05:01:26 UTC 2011


> The one upside is that nmap'ing a /64 (if it even worked) is kind of a
> self-inflicted DOS attack.  It might not complete in your lifetime! ;-)

Yes, this is actually a very interesting, major shift in how low-level
network attacks will be performed in IPv6.  Attackers will be forced
to guess common addresses or use the DNS to find hosts.  I wrote a
thesis paper on the topic.  It'll be interesting to see how it plays
out.


> Once your private IPv6 address is exposed though, you are fully
> reachable *AND* have pretty much given away your macaddress (since it
> is embedded in your auto-self-configured address).  There are
> solutions to the macaddr problem, but takes a little more work.
> 
> There *are* implications.

Yes, it is good to be aware of this.  For many systems, it's not a big
worry if mac addresses are leaked, but in some cases it could tell an
attacker a lot about what kind of special purpose appliances might be
in your private network.

I currently set static addresses on my network, just to keep the
numbers similar to what my v4 addresses are, so this isn't a problem
for me.  However manually set, internal static addresses will likely
become increasingly less popular and hard to manage in v6, so other
solutions would be necessary.

Russell, are you familiar with the current easiest way to run 1:1 NAT
with autoconfigured addresses?  Is this even possible/easy with
iptables?  Several years ago I caught a netfilter developer on
freenode and asked about NAT options and he wasn't very supportive of
the idea at all.  I think NAT will likely become popular for internal
address portability, though NAPT should be shunned.

tim



More information about the PLUG mailing list