[ipv6hackers] IPv6 host scanning in IPv6

Christiaan Ottow chris at 6core.net
Fri Apr 20 13:01:14 CEST 2012

Hi Fernando,

Thanks for the draft!

Two comments:

Section 1 says "ssentially" where I think you mean "essentially".

Section 3.1.2 of the draft states:

It is important to note that "privacy addresses" are generated in
   addition to traditional SLAAC addresses (i.e., based on IEEE
   identifiers): traditional SLAAC addresses are employed for incoming
   (i.e. server-like) communications, while "privacy addresses" are
   employed for outgoing (i.e., client-like) communications.  This means
   that implementation/use of "privacy addresses" does not prevent an
   attacker from leveraging the predictability of traditional SLAAC
   addresses, since "privacy addresses" are generated in addition to
   (rather than in replacement of) the traditional SLAAC addresses
   derived from e.g.  IEEE identifiers.

According to my best knowledge, this isn't completely true. I haven't tested this myself, but it seems that OpenBSD (in the -current and the upcoming 5.1) drops the EUI-64 address when a privacy address has been generated, thus having only the privacy address as global scope address. That changes the "discoverability" of those hosts significantly: if the randomization is done properly and the address isnt' stored in DNS, the host would be practically undetectable without extra information. Of course, one would expect that an OpenBSD box is used as a server of some kind, and that would make the abovementioned configuration rare.

-- chris

On Apr 20, 2012, at 8:57 , Fernando Gont wrote:

> Folks,
> We've just published an IETF internet-draft about IPv6 host scanning
> attacks.
> The aforementioned document is available at:
> <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
> The Abstract of the document is:
> ---- cut here ----
>   IPv6 offers a much larger address space than that of its IPv4
>   counterpart.  The standard /64 IPv6 subnets can (in theory)
>   accommodate approximately 1.844 * 10^19 hosts, thus resulting in a
>   much lower host density (#hosts/#addresses) than their IPv4
>   counterparts.  As a result, it is widely assumed that it would take a
>   tremendous effort to perform host scanning attacks against IPv6
>   networks, and therefore IPv6 host scanning attacks have long been
>   considered unfeasible.  This document analyzes the IPv6 address
>   configuration policies implemented in most popular IPv6 stacks, and
>   identifies a number of patterns in the resulting addresses lead to a
>   tremendous reduction in the host address search space, thus
>   dismantling the myth that IPv6 host scanning attacks are unfeasible.
> ---- cut here ----
> Any comments will be very welcome (note: this is a drafty initial
> version, with lots of stuff still to be added... but hopefully a good
> starting point, and a nice reading ;-) ).
> Thanks!
> Best regards,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list