Hacker News new | past | comments | ask | show | jobs | submit login
Seven IPv6 networking myths that don't match reality (techtarget.com)
23 points by bensummers on March 12, 2010 | hide | past | favorite | 12 comments



Myth #7: He claims that residential IPv6 routers and the computers behind them are almost impossible to find because there are so many available addresses and therefore, random portscans are ineffective.

There are, however, enough other ways of obtaining random inhabited IP addresses. P2P networks, for example.


Yes, this strikes me as another case of looking at the current adversarial dynamic, solving a problem, then assuming that the problem will stay solved because your opponent will just throw their hands up in dismay and say "Alas, I am defeated!"

This is not usually what happens.

While it is basically true that having so many addresses does make the old way of just scanning the network ineffective, there will still be ways of getting at least some addresses. Look in connection logs of any kind. Leverage other protocols, like email addresses, which are every bit as imperfectly discoverable (but discoverable!) in IPv6 as IPv4. For instance, send an HTML email that ends up requesting something.

Besides, it seems to me the botnet attack methods are already no longer based on randomly scanning the internet and hacking Windows; they already work on email, the web, and social engineering. IPv6 doesn't do anything about that (nor can it).


True; at the same time, though, implementing a simple firewall on a router with equivalent security to NAT is actually simpler than implementing NAT itself: block incoming connection initiation packets by default, e.g. SYN packets in TCP, UDP packets whose destination & source IP & port don't match recent previous packets. (and just drop unknown transport layer protocols) That logic is identical to NAT, except the packets just need to be accepted or dropped, never rewritten.


Still NAT is useful for creating "virtual machines", where more than one machine maps to the same IP address. Sure, the DNS can be used to do this at a higher level. But NAT does it much more dynamically.


Are you describing a load balancer, or something else? If not a load balancer (which has a different job to do), I just read this as "NAT is useful because it does NAT".


So, yes, a load balancer. Thus the term "virtual machine" - meaning several machines provide a single service, spread over clients, time or whatever.


Interesting opportunity for viral bots - scan local subnet and report addresses found. The entire IPv6 space will be mapped soon after widespread adoption I imagine.


You do know that the IPv6 address space contains one or two million IPv4 address spaces for every star in the visible universe?


As long as they respond to ARP, a virus on your subnet will report them all to the controlling server.


Stanford has the Clean Slate program to address the broken IP stack.. Still in its infancy. cleanslate.stanford.edu


Didn't even bother reading because I couldn't get to the content. An iterstitial ad decided to take over and there was no way to remove it on the iPhone. Enjoy the half-penny or so you made from that, website marketing guru.


It's not just the iPhone; the same thing happened in Safari 4 on the Mac. Once I got rid of it, there was an annoying 'sign up to see more than the first paragraph' which I gave up on.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: