Hi, Bob, On 04/20/2012 02:26 PM, Bob Hinden wrote: >> For example, consider an attacker remotely-scanning the v6-enabled >> IETF meeting network. He'd probably target: >> >> * Apple's (Macs, iPads, iPhones) * Dell's * IBM's * HP's * >> Toshiba's * Samsung's > > I agree, I would do that too :-) > > However, it also depends a lot on how many companies IDs each vendor > has and how they allocate them to their devices.
Of the top of my head, they use OUIs mostly sequentially. So, e.g., the first OUI assigned to, say, Apple, in unlikely to be in actual use nowadays. That aside, scanning a network such as "the IETF meeting network" is kind of "the worst case scenario", since there are heterogeneous systems. In a typical organizational scenario, you have, at most, a few providers (they make large purchases from the same vendor). > > For example, I looked at > > http://standards.ieee.org/develop/regauth/oui/public.html > > and did a search for Apple and found about 150 assigned company_id's. > [Note: It's "about" because some companies have "Apple" in their > address]. I will double-check... But most of the cases I checked didn't have more than 10 OUIs or so. > The IEEE page also says: "Firms and numbers listed may not > always be obvious in product implementations, as some manufacturers > subcontract component manufacture and others include registered firm > OUIs in their products." Yes, but as the idea develops, it wouldn't be hard to imagine an "OUI matrix" document (or watchamacallit :-) ) that maps vendors to OUIs in a more precise way. > The point I am trying to make here is that we should characterize the > risk here accurately. It's not as simple as get one company_id and > then start scanning. As far as I've checked, it can work pretty well that way. That said, as noted by Ray, it's not that the lower 24 bits are selected in a random order, but rather sequentially. So you don't even need to search the 24-bit space linearly: Take samples "randomly", and once you find an alive host, try sequential addresses starting from there. That said, it's not as bad as "this company has 10 OUIs, and I need to go through all of them". (I will try to get more experimental data, anyway). >> and he'd already discover a fair share of the hosts connected to >> the network. >> >> Certainly not perfect, certainly harder than in IPv4, but still >> feasible. >> >> Now, if the same nodes implemented >> draft-gont-6man-stable-privacy-addresses, the attacker would be >> better off trying something else. > > Agreed. It also hides the company_id. Exactly. And the search space becomes 64 bits (well, 63, since there's the U/L bit), with no patterns. -- That's a whole different game. >> Being able to benefit from the increase IPv6 address space to >> mitigate host-scanning attacks would be a good thing, and an >> improvement over IPv4. > > Agreed. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------