On 2010-08-27 11:36, Dave CROCKER wrote: > > > On 8/26/2010 4:24 PM, Brian E Carpenter wrote: >>> > On 8/26/2010 2:27 PM, Brian E Carpenter wrote: >>>> >> why would the underlying security vulnerabilities be fundamentally >>>> >> different? > ... >> True, but the same property means that scanning attacks are infeasible >> against IPv6 subnets. Attack tracking based on subnets may work >> fine, though. Swings and roundabouts. > > Your original comment was about differences in vulnerabilities. You > asserted that there was no fundamental difference and I was observing > that one difference that is clear and is already of concern to the > anti-spam/anti-abuse community does quality as a fundamental > difference. (It is likely to render and entire infrastructure of > address-based white- and black-listing useless.) > > >> Anyway - nobody is saying that there are no security issues with IPv6. > > How is your statement, above, not saying /exactly/ that? We must interpret the word "fundamental" differently. The fundamental issue we are getting at in your example is basically that it's trivial to forge layer 3 addresses in a connectionless datagram network running without cryptograhic signature of every packet. The exact exposures and countermeasures differ between IP versions, of course. Brian _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf