Re: NIST IPv6 document

["Dobbins, Roland" <rdobbins () arbor net>]

On Jan 6, 2011, at 1:51 PM, Joe Greco wrote:

> There are numerous parallels between physical and electronic security.
> Let's just concede that for a moment.

I can't, and here's why:

1.      In the physical world, attackers run a substantial risk of being caught, and of tangible, severe penalties if 
that eventuality comes to pass; in the online world, the risk of being caught is nil.

2.      In the physical world, attackers have a limited number and variety of resources they can bring to bear; in the 
online world, the attackers have near-infinite resources, for all practical purposes.

3.      In the physical world, the attackers generally don't posses the ability nor the desire to bring the whole 
neighborhood crashing down around the ears of the defenders; in the online world, they almost always have the ability, 
and often the desire, to do just that.

> Making it harder to scan a network *can* and *does* deter certain classes of attacks. 

But as I've tried to make clear, a) I don't believe that sparse addressing does in fact make it harder to scan the 
network, due to hinted scanning via DNS/routing/whois/ND/multicast, b) I believe that pushing the attackers towards 
hinted scanning will have severe second-order deleterious effects on DNS/network infrastructure/whois, resulting in an 
overall loss in terms of security posture, and c) I don't believe that attackers will cease pseudo-randomized scanning, 
and d) I believe that in fact they will throw vastly more resources at both hinted and pseudo-randomized scanning, that 
they have near-infinite resources at their disposal (with an ever-expanding pool of potential resources to harness), 
and that the resultant increase in scanning activity will also have severely deleterious second-order effects on the 
security posture of the Internet as a whole.

In short, I'm starting from a substantially different, far more pessimistic set of base premises, and therefore draw a 
far more negative set of resulting inferences.

I don't believe the sky is falling; I believe it's already fallen, and that we're just now starting to come to grips 
with some of the ramifications of its fall.  

In my view, an IPv6 Internet is considerably less secure, and inherently less securable, than the present horribly 
insecure and barely securable IPv4 Internet; furthermore, I believe that many of the supposed 'security' measures being 
touted for IPv6 are at best placebos, and at worst are iatrogenic in nature.

------------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.

                          -- Alan Kay