Re: [dhcwg] Review of draft-ietf-v6ops-scanning-implications
Tim Chown <tjc@ecs.soton.ac.uk> Mon, 27 November 2006 17:03 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gojsp-0000Gm-S9; Mon, 27 Nov 2006 12:03:07 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gojso-0000EZ-GC for dhcwg@ietf.org; Mon, 27 Nov 2006 12:03:06 -0500
Received: from [2001:630:d0:f102:230:48ff:fe77:96e] (helo=owl.ecs.soton.ac.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gojsh-0000sU-MO for dhcwg@ietf.org; Mon, 27 Nov 2006 12:03:06 -0500
Received: from goose.ecs.soton.ac.uk (goose.ecs.soton.ac.uk [152.78.68.131]) by owl.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id kARH2W9G030911; Mon, 27 Nov 2006 17:02:32 GMT
Received: from login.ecs.soton.ac.uk (login.ecs.soton.ac.uk [152.78.68.162]) by goose.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id kARH2Kik020623; Mon, 27 Nov 2006 17:02:20 GMT
Received: (from tjc@localhost) by login.ecs.soton.ac.uk (8.12.11.20060308/8.11.6) id kARH2GAN006101; Mon, 27 Nov 2006 17:02:16 GMT
Date: Mon, 27 Nov 2006 17:02:16 +0000
From: Tim Chown <tjc@ecs.soton.ac.uk>
To: Eric Klein <ericlklein@softhome.net>
Subject: Re: [dhcwg] Review of draft-ietf-v6ops-scanning-implications
Message-ID: <20061127170216.GJ26966@login.ecs.soton.ac.uk>
Mail-Followup-To: Eric Klein <ericlklein@softhome.net>, Stig Venaas <stig.venaas@uninett.no>, dhcwg@ietf.org, v6ops@ops.ietf.org
References: <8E296595B6471A4689555D5D725EBB2102A2B1AA@xmb-rtp-20a.amer.cisco.com> <027101c71242$1ec75570$0401a8c0@ftssoft.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <027101c71242$1ec75570$0401a8c0@ftssoft.com>
User-Agent: Mutt/1.4i
X-Null-Tag: dc8993efe73f7312389974e1134ad3f1
X-Null-Tag: e710ccfffb1aadcbb64b97da9abc57db
X-ECS-MailScanner: Found to be clean, Found to be clean
X-Spam-Status: No
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: v6ops@ops.ietf.org, dhcwg@ietf.org, Stig Venaas <stig.venaas@uninett.no>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
On Mon, Nov 27, 2006 at 06:35:56PM +0200, Eric Klein wrote: > On Thursday, November 23, 2006 Stig Venaas wrote: > > > >Per Fred's request, please let v6ops and/or authors know if you have > >any thoughts regarding this draft. In particular there is the following > >section: > > > >4.2. DHCP Service Configuration Options > > > > The administrator should configure DHCPv6 so that the first > >addresses > > allocated from the pool begins much higher in the address space than > > at [prefix]::1. DHCPv6 also includes an option to use Privacy > > Extension [2] addresses, i.e. temporary addresses, as described in > > Section 12 of the DHCPv6 [5] specification. It is desirable that > > allocated addresses are not sequential, nor have any predictable > > pattern to them. > > I am not sure that I like the idea that we are suggesting that the DCHPv6 > start higher than 1 for 2 reasons: > 1. It reduces the number of addresses available, by 1 less than the > starting number chosen by the administrator. Yes I know that there are many > more numbers available, but I am hesitant to start recommending that they > be arbitrarily reduced for a dubious security consideration (see reason #2). A nice property of IPv6 is that you have effectively infinite addresses on a link. You don't have to resize links like you do in IPv4 today. You don't need to worry about 'lost' space. The aim of the text is to encourage DHCPv6 server implementors to support an option to configure an address pool that can in effect serve addresses randomly from that pool. This implies some overhead in checking whether such an address is already used, but that cost should in principle not be that high. > 2. By stating that it is desirable, but not mandatory that the numbers from > the address pool of numbers are not allocated sequentially, you leave the > possibility that people choosing the easy coding methodology will still > allow it to be sequential. So, by choosing a number higher than 1 you have > only reduced the security implications by a few seconds as the scan will > eventually reach the first entry and then be able to scan the network. It would be likely to take more than a few seconds, and would probably generate traffic that would alert an IDS to the scan. Our evidence here is that we see scans run on specific ports of addresses that we publish (DNS, MX, etc) and also on low addresses, <prefix>::1 being the primary example. Emphasis here is on the option to support this. If you chose to number sequentially from <prefix>::1 you choose to have easier-to-remember addresses at the cost of a ignoring an opportunity for a little port scanning obfuscation. It's a trade-off but it would be nice to have the choice. -- Tim _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Review of draft-ietf-v6ops-scanning-impli… Fred Baker
- Re: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Stig Venaas
- RE: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Bernie Volz (volz)
- Re: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Tim Chown
- Re: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Tim Chown
- Re: Teredo for reducing search space (was: [dhcwg… Alexandru Petrescu
- Re: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Ralph Droms
- Re: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Tim Chown
- RE: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Tony Hain
- Re: [dhcwg] Review of draft-ietf-v6ops-scanning-i… Bud Millwood