Re: Address Scanning Document comments

[Tim Chown <tjc@ecs.soton.ac.uk>]

On Wed, Mar 22, 2006 at 04:28:23PM -0800, Roland Dobbins wrote:
> 
> On Mar 22, 2006, at 4:04 PM, Fred Baker wrote:
> 
> >>   It is also worth noting that worms that spread by scanning target
> >>   networks for hosts to re-attack have become more common in recent
> >>   times.  Thus a much more sparsely address-populated IPv6  
> >>network will
> >>   have a more innate defense to such forms of worm infection,  
> >>although
> >>   there may still be significant scanning traffic generated.
> >
> >I hear this comment, taken from the draft, a lot, and I'm not as  
> >sure that it is true. Finding the hosts on a remote LAN will  
> >require the use of different techniques, but I'm not at all sure  
> >they will be hard to find.
> 
> There's already a paper out which demonstrates this supposition to be  
> incorrect:
> 
> http://www.cs.columbia.edu/~smb/papers/v6worms.pdf

Yes, nice paper (which I think was posted here recently, well after the
latest version of the scanning draft).  

Within an IPv4 site, a worm can propogate across all subnets, because
the site's address space is probably dense due to the address conservation
requirements; in contrast in IPv6 I suspect the resilience is inter-subnet, 
rather than intra-subnet.  Once an attacker is on-link, you're in trouble.

Of course while dual-stack is used, you're subjetc to the limitations of
the 'weaker' of the protocols.

-- 
Tim/::1