[ipv6hackers] Pros and Cons of Address Randomization
owend at he.net
Sun Dec 2 22:42:32 CET 2012
On Dec 2, 2012, at 10:33 AM, Jim Small <jim.small at cdw.com> wrote:
> Hi Owen,
> Curious on this one:
>>> Maybe this is an enterprise bias but my experience has been that
>> loopbacks (at least with IPv4) are numbered sequentially with predictable
>> patterns for ease of use. These can be protected with ACLs/firewalls. I
>> would like to do something similar for IPv6. Maybe this is legacy thinking but
>> I would dread giving this up and completely depending on DNS. What about
>> outages where you're using an Out Of Band network and DNS is
>> down/unavailable? This one would be hard for me...
>> You certainly can do something similar for IPv6 and I would actually generally
>> advocate doing so. I just wouldn't start from ::1 in most cases.
> So where would you start at? ::1001? It's not that you memorize addresses - I agree that's silly. However when you use tools, simple patterned numbers make life easier. Granted you can have lists of addresses to march through but it's the little things... Especially when you're doing something to 100s of routers/switches - spot checking patterned numbers is a little easier than randomized addresses. Maybe I'm just a little lazy. :-)
I'd start somewhere around either …:0004:: or …:000c:: so that unless they get remarkably lucky about where to start searching, they're going to be looking for a long time before they get anywhere.
As to 100s of routers, at the point where you're scanning lists, isn't DNS the best place to keep the list?
If the list is in DNS, then patterned names give you all the advantages of patterned numbers.
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers