On 2010-08-27 11:36, Dave CROCKER wrote:
On 8/26/2010 4:24 PM, Brian E Carpenter wrote:
On 8/26/2010 2:27 PM, Brian E Carpenter wrote:
why would the underlying security vulnerabilities be fundamentally
True, but the same property means that scanning attacks are infeasible
against IPv6 subnets. Attack tracking based on subnets may work
fine, though. Swings and roundabouts.
Your original comment was about differences in vulnerabilities. You
asserted that there was no fundamental difference and I was observing
that one difference that is clear and is already of concern to the
anti-spam/anti-abuse community does quality as a fundamental
difference. (It is likely to render and entire infrastructure of
address-based white- and black-listing useless.)
Anyway - nobody is saying that there are no security issues with IPv6.
How is your statement, above, not saying /exactly/ that?
We must interpret the word "fundamental" differently. The fundamental
issue we are getting at in your example is basically that it's trivial
to forge layer 3 addresses in a connectionless datagram network running
without cryptograhic signature of every packet. The exact exposures and
countermeasures differ between IP versions, of course.
Ietf mailing list