[PLUG] another reason or two why IPv6 rocks

Tim tim-pdxlug at sentinelchicken.org
Sun Jan 30 02:47:21 UTC 2011


> So it seems my issue is with the immensity.  This immensity will dull the 
> enormity of some net citizens.  No longer will it be possible for them to scan
> address ranges checking for exploitable targets. With the sheer size of the 
> IPv6 space random probes just won't be efficient.

Yes and there are some interesting tricks you can play with this if
you get clever.  Here is an example of one:

Ever heard of port knocking?  This is a strategy whereby clients
intentionally probe (for example, port scan) certain services in a
certain order as a secret code in order to instruct a firewall to open
up service to them.  It provides a simple way to mask a service from
potential attackers while still allowing users from any source IP
address to access it.  Port knocking is not a replacement for good
authentication, but it can help mitigate vulnerabilities in certain
critical services.

The problem with port knocking is that you often need special client
software (in addition to special server software) to implement it.
Kind of a pain for the average user.

Let us now consider the enormous address space of IPv6.  Every person
can easily obtain a /48, or 80 bits of address space.  The only way to
find services on a hidden address would be if they were explicitly
advertised or shared in a secret way.  So, you could simply tell your
trusted associates what your random IP address is that provides a
service and then you achieve what you had achieved with port knocking
without the need for a special client.  However, that's kind of a
pain, because people don't want to have to remember 80 bit random
numbers...

So instead, let's improve this by creating a smart DNS server that we
control.  Whenever we ask about any valid name, it returns us a signed
cryptographic token which contains some limited information.  This
token is embedded as the last 80 bits of the IP address itself.
The DNS server can be instructed to place anything it wants in that
token, within space limits.  When the firewall receives a request for
an IP address, it statelessly validates the cryptographic token (much
like we already do in TCP SYN cookies) and passes traffic on according
to predefined rules.

So now we can create ourselves a special, secret domain name like
"mysecretSSHservice.example.org" which returns a cryptographic cookie
containing an indicator for what services should be opened to the
client.  The domain name is easy to remember, there is no client
software required, and we have a very strong guarantee about how
hidden our hidden services are.


Sorry if that's long-winded, but I just wanted to illustrate that
there are some fundamental changes in how the Internet can work,
simply due to the very large address space.

Regards,
tim



More information about the PLUG mailing list