Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157

Fernando Gont <fgont@si6networks.com> Thu, 27 September 2012 18:26 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 502CD21F866B for <v6ops@ietfa.amsl.com>; Thu, 27 Sep 2012 11:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cH7PsKOhKO-r for <v6ops@ietfa.amsl.com>; Thu, 27 Sep 2012 11:26:41 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id AFCB021F8685 for <v6ops@ietf.org>; Thu, 27 Sep 2012 11:26:39 -0700 (PDT)
Received: from 217.64.252.202.mactelecom.net ([217.64.252.202] helo=[10.4.2.187]) by web01.jbserver.net with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <fgont@si6networks.com>) id 1THInC-00054q-MJ; Thu, 27 Sep 2012 20:26:34 +0200
Message-ID: <50649A58.20705@si6networks.com>
Date: Thu, 27 Sep 2012 20:26:32 +0200
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120827 Thunderbird/15.0
MIME-Version: 1.0
To: "Marksteiner, Stefan" <stefan.marksteiner@joanneum.at>
References: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D8FF@RZJC1EX.jr1.local>, <1348519034.47465.YahooMailNeo@web32503.mail.mud.yahoo.com> <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D902@RZJC1EX.jr1.local>
In-Reply-To: <8A317FD8C00FEE448E52D4EE5B56BB3E0232A086D902@RZJC1EX.jr1.local>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] Operational guidelines for a company/organization IPv6 address scheme supplemental to RFC5157
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 18:26:43 -0000

Stefan,

On 09/25/2012 11:42 AM, Marksteiner, Stefan wrote:
> First of all I think I've forgotten to clarify that I'm talking about
> IIDs, sorry ;) The aim of my thoughts would be to make it harder for
> externals to scan for attackable addresses.

If so, you should implement draft-ietf-6man-stable-privacy-addresses


> One often cited (mostly
> by marketeers) benefit of IPv6 is the vast amount of addresses per
> subnet making it seemingly harder to scan, which would be nullified
> if companies used simple sequential addressing.

It's also nullified for other reasons. Please see:
<http://www.si6networks.com/presentations/IETF84/fgont-ietf84-opsec-host-scanning.pdf>


> I'm suggesting to recommend companies to use a different scheme as
> ::1;::2 or ::BABE;::CAFE or even ::4593;4594 and so on which
> according to some studies (e.g. [1], pp.65-75, especially 68) most
> administrators unfortunately do. What might be needed to change this
> would be a scheme which is practicably administrable in the easiest
> possible way.

draft-ietf-6man-stable-privacy-addresses aims at exactly that.

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492