1

Pinging all the IPv4 address space takes about 5 hours (and can generate beautiful maps). Port-scanning doesn't take much longer and can reveal vulnerable services, such as remote administration of routers with default credentials or misconfigured servers.

Assuming it scales linearly, scanning the IPv6 address space could take around 10 quadrillion years.

How feasible would it be to assign dynamic, random ranges of the IPv6 address space to ISPs? Those ranges could change every few days and clients would have their IP address change when the DHCP lease expires.

isanae
  • 145
  • 5
  • `Pinging all the IPv4 address space takes about 5 hours (and can generate beautiful maps). Port-scanning doesn't take much longer` - Hogwash. – joeqwerty May 12 '15 at 19:09
  • @joeqwerty No, [it's true](https://zmap.io/). Though that isn't the problem here. – Michael Hampton May 12 '15 at 19:11
  • @MichaelHampton: Without reading any of the documents at that site, and assuming that all 4 billion+ IPv4 addresses were reachable/pingable/scannable, I'm having a hard time believing that it's possible in 5 hours, much less the 5 minutes that they claim. That has to be some kind of prank or gag? – joeqwerty May 12 '15 at 19:25
  • 2
    @joeqwerty Full scans were being done in 12-24 hours several years ago. You're _way_ behind the times. Keep in mind that those numbers are _per port_. – Michael Hampton May 12 '15 at 20:28
  • 2
    @joeqwerty It's 3700 million IPs and one 40 byte packet per IP. That's a total of 1.2 terabits. Including headers beneath the IP layer will increase the number of bits transmitted beyond the 1.2Tb. If the transferred data was 3Tb at 10Gb/s, it would take 5 minutes. – kasperd May 12 '15 at 22:12

2 Answers2

2

Most IPv6 subnets are no smaller than /64. It's not a protocol requirement, but it is de facto standard and also necessary for networks that run SLAAC.

Each of those networks contains 18446744073709551616 IP addresses, and, in each network, only a handful of those addresses will ever be used.

Therefore, even if you know exactly what subnets are assigned and which are unassigned, it's infeasible to scan even a single IPv6 subnet to find the host addresses that are in use inside that subnet. So making it hard to guess which subnets are assigned doesn't really help.

Put that together with the fact that even if ISPs must move their address blocks around from time to time, they must still document their assignments in WHOIS so that outsiders can find out who is responsible for a given IP address and contact the right abuse desk. We intentionally do the opposite of hiding IP network assignments!

Exceptions: if you guess an IPv6 subnet that is in use, you actually have better than 1/18446744073709551616 chance of finding an assigned IP address within that subnet. For example, if SLAAC is in use and who can guess the MAC address of a host on the subnet, you can generate its IP address. Privacy addresses mitigate this. Also, servers will often have well known, simple addresses like <subnet>::1 so you can guess those too (but then again, they're servers, so they're supposed to have well known addresses). Still, it's sufficiently daunting that I think it's still a futile task to try to "portscan" IPv6.

Community
  • 1
Celada
  • 656
  • 4
  • 9
1

There are two elements in play here.

First, there is the ability to move entire ISP blocks every few days. The security benefits are ambiguous at best.

Second, there is the possible annoyance of customers. Even users without static IP guarantees have an expectation that they won't be moved around willy-nilly. Those "dynamic" users know that sometimes IP changes occur, and many have services like dynamic DNS to counter periodic moves. Then, there's the users that have paid to have a static IP address. If you move those users, they will raise hell in venting their frustration on the ISP, putting the ISP in the hotseat to fix the problem. Especially with a retail site, the ISP may to some degree be on the hook for lost sales due to breech of contract.

Having the entire internet (via the connected ISPs) shift every couple days may look good initially on-paper. Trying to apply the concept to the reality of how the internet works tends to fall apart immediately.

I could be mistaken. If so, please downvote. Enough of them, and I'll kill this answer.

killermist
  • 171
  • 5