[ipv6hackers] (IETF I-D); Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)
Markus Reschke
madires at theca-tabellaria.de
Sun Feb 5 13:26:57 -03 2023
Hi!
On Sun, 5 Feb 2023, Andrew Walding wrote:
> Example #5: Dealing with an intrusive or misbehaving ipv6 source. The
> tendency here is to create either a whitelist or blacklist collection of
> allowed or banned addresses. In an IPv4 network this is relatively
> straight forward as an interface most likely has only one address.
> Further, it does not matter whether the source is a server or client, in
> the IPv4 space these addresses tend not to change. In IPv6 this could also
> be the case, however there are further considerations.
IMHO, it's not just about a host having multiple IPv6 addresses or
changing addresses (e.g. Privacy Extensions), but also the tradeoff
between the number of ACL rules and filtering resources available. The
latter also applies to IPv4. Up to some threshold we can put single
addresses into the ACL with minimal impact on performance. However, when
exceeding the threshold we have to aggregate addresses if possible to
counter the performance impact, also creating collateral damage to some
extend (another tradeoff). And by adding IPv6 /128s we would run much
faster into the threshold.
ciao
Markus
--
/ Markus Reschke \
\ madires at theca-tabellaria.de /
More information about the Ipv6hackers
mailing list