[OpenWrt-Devel] OpenWRT IPv6 firewall

Gert Doering gert at greenie.muc.de
Mon Jul 21 03:43:40 EDT 2014


Hi,

On Mon, Jul 21, 2014 at 12:18:46AM -0700, David Lang wrote:
> While it is nice to say that IPv6 has a large address space and so nobody 
> will ever scan it, I don't believe it. 

Don't believe.  Try math.  2^64 is big enough that if you manage to send
a few 1000 packets a second, you'll need up to the heat death of the 
universe to scan a single /64 subnet...

(Of course this can be optimized if you're targeting very specific
devices and "only" need to scan 2^24 potential EUI64 addresses in 
a given vendor's MAC range - but that's not your Joe Random attacker.
If someone is that determined, he'll just target your PC first, and
jump from there to the devices on your LAN.  Way easier in general)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20140721/77f279c7/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list