[ipv6hackers] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

Markus Reschke madires at theca-tabellaria.de
Sun Feb 5 13:26:57 -03 2023


Hi!

On Sun, 5 Feb 2023, Andrew Walding wrote:

> Example #5:  Dealing with an intrusive or misbehaving ipv6 source.  The
> tendency here is to create either a whitelist or blacklist collection of
> allowed or banned addresses.  In an IPv4 network this is relatively
> straight forward as an interface most likely has only one address.
> Further, it does not matter whether the source is a server or client, in
> the IPv4 space these addresses tend not to change.  In IPv6 this could also
> be the case, however there are further considerations.

IMHO, it's not just about a host having multiple IPv6 addresses or 
changing addresses (e.g. Privacy Extensions), but also the tradeoff 
between the number of ACL rules and filtering resources available. The 
latter also applies to IPv4. Up to some threshold we can put single 
addresses into the ACL with minimal impact on performance. However, when 
exceeding the threshold we have to aggregate addresses if possible to 
counter the performance impact, also creating collateral damage to some 
extend (another tradeoff). And by adding IPv6 /128s we would run much 
faster into the threshold.

ciao
  Markus
-- 
/ Markus Reschke              \
\ madires at theca-tabellaria.de /



More information about the Ipv6hackers mailing list