[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Address Scanning Document comments

To: Tim Chown <tjc@ecs.soton.ac.uk>
Subject: Address Scanning Document comments
From: Fred Baker <fred@cisco.com>
Date: Wed, 22 Mar 2006 18:04:21 -0600
Authentication-results: imail.cisco.com; header.From=fred@cisco.com; dkim=pass ( message from cisco.com verified; );
Cc: v6ops@ops.ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=2361; t=1143072321; x=1143504521; c=relaxed/simple; s=nebraska; h=Subject:From:Date:Content-Type:Content-Transfer-Encoding:Mime-Version; d=cisco.com; i=fred@cisco.com; z=From:Fred=20Baker=20<fred@cisco.com> |Subject:Address=20Scanning=20Document=20comments |To:Tim=20Chown=20<tjc@ecs.soton.ac.uk>; X=v=3Dmtcc.com=3B=20h=3DILBEPYSeLeZb0heXFtf0FhlyfIk=3D; b=gTJnqCOsPpCptaT372plQ1DFbwP9P7h0g+JKsEyBwV3ULY4SbbqdFm5yzOYGwDDnRwPSa9Ad 1kCHlkVRbHGgoWoWx+KoK9G72+aYwgK4uYpdpql1/XF/nEBL6RbEKu4Ka+MNm6iDnChPM+yn4Yw QwTBTUqH67+ZgrPo5aAkzDGc=;

   It is also worth noting that worms that spread by scanning target
   networks for hosts to re-attack have become more common in recent
times. Thus a much more sparsely address-populated IPv6 networkwillhave a more innate defense to such forms of worm infection,although
   there may still be significant scanning traffic generated.

I hear this comment, taken from the draft, a lot, and I'm not as surethat it is true. Finding the hosts on a remote LAN will require theuse of different techniques, but I'm not at all sure they will behard to find.

For example, when you receive this email, it will have a number of'receive' lines. In case you have forgotten how to manage your emailtool, they look something like this:

Received: 	from xbh-sjc-231.amer.cisco.com
([128.107.191.100]) by xmb-sjc-225.amer.cisco.com with Microsoft
SMTPSVC(6.0.3790.211); Wed, 22 Mar 2006 15:21:53 -0800
Received: 	from sj-iport-5.cisco.com ([171.68.10.87]) by
xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211);
Wed, 22 Mar 2006 15:21:52 -0800
Received: 	from sj-core-4.cisco.com ([171.68.223.138]) by
sj-iport-5.cisco.com with ESMTP; 22 Mar 2006 15:21:54 -0800
Received: 	from xbh-sjc-211.amer.cisco.com
(xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-4.cisco.com
(8.12.10/8.12.6) with ESMTP id k2MNLnYg005591 for
<ipv6-interest@cisco.com>; Wed, 22 Mar 2006 15:21:49 -0800 (PST)
Received: 	from xfe-sjc-211.amer.cisco.com
([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft
SMTPSVC(6.0.3790.211); Wed, 22 Mar 2006 15:21:49 -0800
Received: 	from cisco.com ([128.107.132.219]) by
xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211);
Wed, 22 Mar 2006 15:21:48 -0800

As you can see, it contains the numeric address of the system. Anysystem that emits email is therefore known by any system thatreceives it, which is to say that IPv6 addresses of hosts on remoteLANs are trivially easy to obtain. And if you can manage to infectone, the neighbor discovery protcool results in that system knowingall of its peers on said LAN even if they don't send mail.

Hence, I doubt that there will be any address scans, and I also doubtthat there will be less attacks. They will just come in a different way.

Follow-Ups:
- Re: Address Scanning Document comments
  - From: Tim Chown <tjc@ecs.soton.ac.uk>

Prev by Date: Re: IPv6 Routing Policies Guidelines - Draft
Next by Date: Re: Address Scanning Document comments
Previous by thread: IPv6 Routing Policies Guidelines - Draft
Next by thread: Re: Address Scanning Document comments
Index(es):
- Date
- Thread