Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

IPv6 discussion on PSW
From: "Jody & Jennifer McCluggage" <j2mccluggage () adelphia net>
Date: Mon, 16 Aug 2010 19:02:20 -0400

On episode 204 there was a fascinating discussion around scanning problems
caused by the sheer size of the address space available with IPv6.  I have
also been thinking about this problem lately.  The numbers thrown around on
the podcast where between 10 and 20 million possible addresses.   Actually
the problem is much bigger than that.  I believe (and someone please correct
me if I am wrong), that there are 64 bits available for addressing.   That
means that there are 18 quintillion  (that's 18 followed by 18 zeros!).
There is no way that you are scanning that entire range in your life time.
On top of that, I believe with internal IPv6 addresses, there are 16 bits
available for networking.  That means you have your choice of over 65,000
networks to choose from.

The discussion focused on how to discover a rogue user that setup a static
IP address in your network.  Hunting for it would be like literally trying
to find a needle in a hay stack.  I would like to toss out a couple of
possible solutions that I was thinking about (I am sure that I am not the
first one to think of these and am sure there are probably better ways to do
this.  Please let me know if you think it would not work or if there is a
better way).  The key is that the rogue user is going to have to transmit
data at some time and that data is going to have to go across a switch.

1.  Monitor the switch MAC-Address table to look for IPv6 addresses outside
of the range that you are actually using (you can designated a range in
DHCPv6).  Sure the rogue user could spoof the IPv6 address but they still
have to make sure they are not using one already in circulation so they
still may trip an alarm.

2. Use switches to limit the size of IPv6 addresses allowed on your network
(some switches support layer 3 filtering).  For example you could apply an
access-list (again on those switches that support IP access-lists) that
knock down traffic from IPv6 addresses outside of a designated range.  You
can monitor the logs or setup an SNMP trap to warn when this happens.

Well those are my ideas.  Thanks for the great discussion on the podcast!

Jody




_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
  • IPv6 discussion on PSW Jody & Jennifer McCluggage (Aug 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault