idnits 2.17.1 

draft-ietf-v6ops-scanning-implications-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 15.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 564.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 575.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 582.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 588.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (March 27, 2007) is 6240 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Obsolete informational reference (is this intentional?): RFC 2460 (ref.
     '1') (Obsoleted by RFC 8200)

  -- Obsolete informational reference (is this intentional?): RFC 2462 (ref.
     '2') (Obsoleted by RFC 4862)

  -- Obsolete informational reference (is this intentional?): RFC 3041 (ref.
     '3') (Obsoleted by RFC 4941)

  -- Obsolete informational reference (is this intentional?): RFC 3315 (ref.
     '6') (Obsoleted by RFC 8415)

  -- Obsolete informational reference (is this intentional?): RFC 4214 (ref.
     '10') (Obsoleted by RFC 5214)


     Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 12 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	IPv6 Operations                                                 T. Chown
3	Internet-Draft                                 University of Southampton
4	Intended status: Informational                            March 27, 2007
5	Expires: September 28, 2007

7	                 IPv6 Implications for Network Scanning
8	               draft-ietf-v6ops-scanning-implications-03

10	Status of this Memo

12	   By submitting this Internet-Draft, each author represents that any
13	   applicable patent or other IPR claims of which he or she is aware
14	   have been or will be disclosed, and any of which he or she becomes
15	   aware will be disclosed, in accordance with Section 6 of BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on September 28, 2007.

35	Copyright Notice

37	   Copyright (C) The IETF Trust (2007).

39	Abstract

41	   The 128 bits of IPv6 address space is considerably bigger than the 32
42	   bits of address space of IPv4.  In particular, the IPv6 subnets to
43	   which hosts attach will by default have 64 bits of host address
44	   space.  As a result, traditional methods of remote TCP or UDP network
45	   scanning to discover open or running services on a host will
46	   potentially become less feasible, due to the larger search space in
47	   the subnet.  In addition automated attacks, such as those performed
48	   by network worms, that pick random host addresses to propagate to,
49	   may be hampered.  This document discusses this property of IPv6 and
50	   describes related issues for IPv6 site network administrators to
51	   consider, which may be of importance when planning site address
52	   allocation and management strategies.  While traditional network
53	   scanning probes (whether by individuals or automated via network
54	   worms) may become less common, administrators should be aware of
55	   other methods attackers may use to discover IPv6 addresses on a
56	   target network, and also be aware of appropriate measures to mitigate
57	   them.

59	Table of Contents

61	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
62	   2.  Target Address Space for Network Scanning  . . . . . . . . . .  4
63	     2.1.  IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
64	     2.2.  IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
65	     2.3.  Reducing the IPv6 Search Space . . . . . . . . . . . . . .  4
66	     2.4.  Dual-stack Networks  . . . . . . . . . . . . . . . . . . .  5
67	     2.5.  Defensive Scanning . . . . . . . . . . . . . . . . . . . .  5
68	   3.  Alternatives for Attackers: Off-link . . . . . . . . . . . . .  5
69	     3.1.  Gleaning IPv6 prefix information . . . . . . . . . . . . .  6
70	     3.2.  DNS Advertised Hosts . . . . . . . . . . . . . . . . . . .  6
71	     3.3.  DNS Zone Transfers . . . . . . . . . . . . . . . . . . . .  6
72	     3.4.  Log File Analysis  . . . . . . . . . . . . . . . . . . . .  6
73	     3.5.  Application Participation  . . . . . . . . . . . . . . . .  6
74	     3.6.  Multicast Group Addresses  . . . . . . . . . . . . . . . .  7
75	     3.7.  Transition Methods . . . . . . . . . . . . . . . . . . . .  7
76	   4.  Alternatives for Attackers: On-link  . . . . . . . . . . . . .  7
77	     4.1.  General on-link methods  . . . . . . . . . . . . . . . . .  7
78	     4.2.  Intra-site Multicast or Other Service Discovery  . . . . .  8
79	   5.  Site Administrator Tools . . . . . . . . . . . . . . . . . . .  8
80	     5.1.  IPv6 Privacy Addresses . . . . . . . . . . . . . . . . . .  8
81	     5.2.  Cryptographically Generated Addresses (CGAs) . . . . . . .  9
82	     5.3.  Non-use of MAC addresses in EUI-64 format  . . . . . . . .  9
83	     5.4.  DHCP Service Configuration Options . . . . . . . . . . . .  9
84	     5.5.  Rolling Server Addresses . . . . . . . . . . . . . . . . . 10
85	     5.6.  Application-Specific Addresses . . . . . . . . . . . . . . 10
86	   6.  Conclusions  . . . . . . . . . . . . . . . . . . . . . . . . . 10
87	   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
88	   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
89	   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
90	   10. Informative References . . . . . . . . . . . . . . . . . . . . 11
91	   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
92	   Intellectual Property and Copyright Statements . . . . . . . . . . 13

94	1.  Introduction

96	   One of the key differences between IPv4 and IPv6 is the much larger
97	   address space for IPv6, which also goes hand-in-hand with much larger
98	   subnet sizes.  This change has a significant impact on the
99	   feasibility of TCP and UDP network scanning, whereby an automated
100	   process is run to detect open ports (services) on systems that may
101	   then be subject of a subsequent attack.  Today many IPv4 sites are
102	   subjected to such probing on a recurring basis.

104	   The 128 bits of IPv6 [1] address space is considerably bigger than
105	   the 32 bits of address space in IPv4.  In particular, the IPv6
106	   subnets to which hosts attach will by default have 64 bits of host
107	   address space [2].  As a result, traditional methods of remote TCP or
108	   UDP network scanning to discover open or running services on a host
109	   will potentially become less feasible, due to the larger search space
110	   in the subnet.  This document discusses this property of IPv6, and
111	   describes related issues for IPv6 site network administrators to
112	   consider, which may be of importance when planning site address
113	   allocation and management strategies.

115	   This document complements the transition-centric discussion of the
116	   issues that can be found in Appendix A of the IPv6 Transition/
117	   Co-existence Security Considerations text [12], which takes a broad
118	   view of security issues for transitioning networks.

120	   The reader is also referred to a recent paper by Bellovin on worm
121	   propagation strategies in IPv6 networks [13].  This paper discusses
122	   some of the issues included in this document, from a slightly
123	   different perspective.

125	   Network scanning is quite a prevalent tactic used by would-be
126	   attackers.  There are two general classes of such scanning.  In one
127	   case, the probes are from an attacker outside a site boundary who is
128	   trying to find weaknesses on any system in that network which they
129	   may then subsequently be able to compromise.  The other case is
130	   scanning by worms that spread through (site) networks, looking for
131	   further hosts to compromise.  Many worms, like Slammer, rely on such
132	   address scanning methods to propagate, whether they pick subnets
133	   numerically (and thus probably topologically) close to the current
134	   victim, or subnets in random remote networks.

136	   It must be remembered that the defence of a network must not rely
137	   solely on the unpredictable sparseness of the host addresses on that
138	   network.  Such a feature or property is only one measure in a set of
139	   measures that may be applied.  However, with a growth in usage of
140	   IPv6 devices in open networks likely, and security becoming more
141	   likely an issue for the end devices, such obfuscation can be useful
142	   where its use is of little or no cost to the administrator to
143	   implement it.  However, a law of diminishing returns does apply.  An
144	   administrator who undertakes an address hiding policy through
145	   unpredictable sparseness should be aware that while IPv6 host
146	   addresses may be assigned to hosts that are likely to take
147	   significant time to discover by traditional scanning methods, there
148	   are other means by which such addresses may be discovered.
149	   Implementing all of the mitigating methods described in this text may
150	   be deemed unwarranted effort.  But it is up to the site administrator
151	   to be aware of the context and the options available, and in
152	   particular what new methods may attackers use to glean IPv6 address
153	   information, and how these can potentially be mitigated against.
154	   Finally, note that this document is currently intended to be
155	   informational; there is not yet sufficient deployment experience for
156	   it to be considered BCP.

158	2.  Target Address Space for Network Scanning

160	   There are significantly different considerations for the feasibility
161	   of plain, brute force IPv4 and IPv6 address scanning.

163	2.1.  IPv4

165	   A typical IPv4 subnet may have 8 bits reserved for host addressing.
166	   In such a case, a remote attacker need only probe at most 256
167	   addresses to determine if a particular service is running publicly on
168	   a host in that subnet.  Even at only one probe per second, such a
169	   scan would take under 5 minutes to complete.

171	2.2.  IPv6

173	   A typical IPv6 subnet will have 64 bits reserved for host addressing.
174	   In such a case, a remote attacker in principle needs to probe 2^64
175	   addresses to determine if a particular open service is running on a
176	   host in that subnet.  At a very conservative one probe per second,
177	   such a scan may take some 5 billion years to complete.  A more rapid
178	   probe will still be limited to (effectively) infinite time for the
179	   whole address space.  However, there are ways for the attacker to
180	   reduce the address search space to scan against within the target
181	   subnet, as we discuss below.

183	2.3.  Reducing the IPv6 Search Space

185	   The IPv6 host address space through which an attacker may search can
186	   be reduced in at least two ways.

188	   First, the attacker may rely on the administrator conveniently
189	   numbering their hosts from [prefix]::1 upward.  This makes scanning
190	   trivial, and thus should be avoided unless the host's address is
191	   readily obtainable from other sources (for example it is the site's
192	   published primary DNS or email MX server).  Alternatively if hosts
193	   are numbered sequentially, or using any regular scheme, knowledge of
194	   one address may expose other available addresses to scan.

196	   Second, in the case of statelessly autoconfiguring [1] hosts, the
197	   host part of the address will usually take a well-known format that
198	   includes the Ethernet vendor prefix and the "fffe" stuffing.  For
199	   such hosts, the search space can be reduced to 48 bits.  Further, if
200	   the Ethernet vendor is also known, the search space may be reduced to
201	   24 bits, with a one probe per second scan then taking a less daunting
202	   194 days.  Even where the exact vendor is not known, using a set of
203	   common vendor prefixes can reduce the search.  In addition, many
204	   nodes in a site network may be procured in batches, and thus have
205	   sequential or near sequential MAC addresses; if one node's
206	   autoconfigured address is known, scanning around that address may
207	   yield results for the attacker.  Again, any form of sequential host
208	   addressing should be avoided if possible.

210	2.4.  Dual-stack Networks

212	   Full advantage of the increased IPv6 address space in terms of
213	   resilience to network scanning may not be gained until IPv6-only
214	   networks and devices become more commonplace, given that most IPv6
215	   hosts are currently dual stack, with (more readily scannable) IPv4
216	   connectivity.  However, many applications or services (e.g. new peer-
217	   to-peer applications) on the (dual stack) hosts may emerge that are
218	   only accessible over IPv6, and that thus can only be discovered by
219	   IPv6 address scanning.

221	2.5.  Defensive Scanning

223	   The problem faced by the attacker for an IPv6 network is also faced
224	   by a site administrator looking for vulnerabilities in their own
225	   network's systems.  The administrator should have the advantage of
226	   being on-link for scanning purposes though.

228	3.  Alternatives for Attackers: Off-link

230	   If IPv6 hosts in subnets are allocated addresses 'randomly', and as a
231	   result IPv6 network scanning becomes relatively infeasible, attackers
232	   will need to find new methods to identify IPv6 addresses for
233	   subsequent scanning.  In this section, we discuss some possible paths
234	   attackers may take.  In these cases, the attacker will attempt to
235	   identify specific IPv6 addresses for subsequent targeted probes.

237	3.1.  Gleaning IPv6 prefix information

239	   Note that in IPv6 an attacker would not be able to search across the
240	   entire IPv6 address space as they might in IPv4.  An attacker may
241	   learn general prefixes to focus their efforts on by observing route
242	   view information (e.g. from public looking glass services) or
243	   information on allocated address space from RIRs.  In general this
244	   would only yield information at most at the /48 prefix granularity,
245	   but specific /64 prefixes may be observed from route views on some
246	   parts of some networks.

248	3.2.  DNS Advertised Hosts

250	   Any servers that are DNS listed, e.g.  MX mail relays, or web
251	   servers, will remain open to probing from the very fact that their
252	   IPv6 addresses will be published in the DNS.  Where a site uses
253	   sequential host numbering, publishing just one address may lead to a
254	   threat upon the other hosts.

256	   Sites may use a two-faced DNS where internal system DNS information
257	   is only published in an internal DNS.  It is also worth noting that
258	   the reverse DNS tree may also expose address information.  In such
259	   cases, populating the reverse DNS tree for the entire subnet, even if
260	   not all addresses are actually used, may reduce that exposure.

262	3.3.  DNS Zone Transfers

264	   In the IPv6 world a DNS zone transfer is much more likely to narrow
265	   the number of hosts an attacker needs to target.  This implies
266	   restricting zone transfers is (more) important for IPv6, even if it
267	   is already good practice to restrict them in the IPv4 world.

269	   There are some projects that provide Internet mapping data from
270	   access to such transfers.  Administrators may of course agree to
271	   provide such transfers where they choose to do so.

273	3.4.  Log File Analysis

275	   IPv6 addresses may be harvested from recorded logs such as web site
276	   logs.  Anywhere else where IPv6 addresses are explicitly recorded may
277	   prove a useful channel for an attacker, e.g. by inspection of the
278	   (many) Received from: or other header lines in archived email or
279	   Usenet news messages.

281	3.5.  Application Participation

283	   More recent peer-to-peer applications often include some centralised
284	   server which coordinates the transfer of data between peers.  The
285	   BitTorrent application builds swarms of nodes that exchange chunks of
286	   files, with a tracker passing information about peers with available
287	   chunks of data between the peers.  Such applications may offer an
288	   attacker a source of peer IP addresses to probe.

290	3.6.  Multicast Group Addresses

292	   Where an Embedded RP [7] multicast group address is known, the
293	   unicast address of the rendezvous point is implied by the group
294	   address.  Where unicast prefix based multicast group addresses [5]
295	   are used, specific /64 link prefixes may also be disclosed in traffic
296	   that goes off-site.  An administrator may thus choose to put aside
297	   /64 bit prefixes for multicast group addresses that are not in use
298	   for normal unicast routing and addressing.  Alternatively a site may
299	   simply use their /48 site prefix allocation to generate RFC3306
300	   multicast group addresses.

302	3.7.  Transition Methods

304	   Specific knowledge of the target network may be gleaned if that
305	   attacker knows it is using 6to4 [4], ISATAP [10], Teredo [11] or
306	   other techniques that derive low-order bits from IPv4 addresses
307	   (though in this case, unless they are using IPv4 NAT, the IPv4
308	   addresses may be probed anyway).

310	   For example, the current Microsoft 6to4 implementation uses the
311	   address 2002:V4ADDR::V4ADDR while older Linux and FreeBSD
312	   implementations default to 2002:V4ADDR::1.  This leads to specific
313	   knowledge of specific hosts in the network.  Given one host in the
314	   network is observed as using a given transition technique, it is
315	   likely that there are more.

317	   In the case of Teredo, the 64 bit node identifier is generated from
318	   the IPv4 address observed at a Teredo server along with a UDP port
319	   number.  The Teredo specification also allows for discovery of other
320	   Teredo clients on the same IPv4 subnet via a well-known IPv4
321	   multicast address (see Section 2.17 of RFC4380 [11]).

323	4.  Alternatives for Attackers: On-link

325	4.1.  General on-link methods

327	   If the attacker is on link, then traffic on the link, be it Neighbour
328	   Discovery or application based traffic, can invariably be observed,
329	   and target addresses learnt.  In this document we are assuming the
330	   attacker is off link, but traffic to or from other nodes (in
331	   particular server systems) is likely to show up if an attacker can
332	   gain a presence on any one subnet in a site's network.

334	   IPv6-enabled hosts on local subnets may be discovered through probing
335	   the "all hosts" link local multicast address.  Likewise any routers
336	   on link may be found via the "all routers" link local multicast
337	   address.  An attacker may choose to probe in a slightly more
338	   obfuscated way by probing the solicited node multicast address of a
339	   potential target host.

341	   Where a host has already been compromised, its Neighbour Discovery
342	   cache is also likely to include information about active nodes on
343	   link, just as an ARP cache would do for IPv4.

345	4.2.  Intra-site Multicast or Other Service Discovery

347	   A site may also have site or organisational scope multicast
348	   configured, in which case application traffic, or service discovery,
349	   may be exposed site wide.  An attacker may also choose to use any
350	   other service discovery methods supported by the site.

352	5.  Site Administrator Tools

354	   There are some tools that site administrators can apply to make the
355	   task for IPv6 network scanning attackers harder.  These methods arise
356	   from the considerations in the previous section.

358	   The author notes that at his current (university) site, there is no
359	   evidence of general network scanning running across subnets.
360	   However, there is network scanning over IPv6 connections to systems
361	   whose IPv6 addresses are advertised (DNS servers, MX relays, web
362	   servers, etc), which are presumably looking for other open ports on
363	   these hosts to probe.

365	5.1.  IPv6 Privacy Addresses

367	   By using the IPv6 Privacy Extensions [3] hosts in a network may only
368	   be able to connect to external systems using their current
369	   (temporary) privacy address.  While an attacker may be able to port
370	   scan that address if they do so quickly upon observing or otherwise
371	   learning of the address, the threat or risk is reduced due to the
372	   time-constrained value of the address.  One implementation of RFC3041
373	   already deployed has privacy addresses active for one day, with such
374	   addresses reachable for seven days.

376	   Note that an RFC3041 host will usually also have a separate static
377	   global IPv6 address by which it can also be reached, and that may be
378	   DNS-advertised if an externally reachable service is running on it.

380	   DHCPv6 can be used to serve normal global addresses and IPv6 Privacy
381	   Addresses.

383	   The implication is that while Privacy Addresses can mitigate the
384	   long-term value of harvested addresses, an attacker creating an IPv6
385	   application server to which clients connect will still be able to
386	   probe the clients by their Privacy Address as and when they visit
387	   that server.  The duration for which Privacy Addresses are valid will
388	   impact on the usefulness of such observed addresses to an external
389	   attacker.  The frequency with which such address get recycled could
390	   be increased, though this may increase the complexity of local
391	   network management for the administrator, since doing so will cause
392	   more addresses to be used over time in the site.

394	   It may be worth exploring whether firewalls can be adapted to allow
395	   the option to block traffic initiated to a known IPv6 Privacy Address
396	   from outside a network boundary.  While some applications may
397	   genuinely require such capability, it may be useful to be able to
398	   differentiate in some circumstances.

400	5.2.  Cryptographically Generated Addresses (CGAs)

402	   The use of Cryptographically Generated Addresses (CGAs) [9] may also
403	   cause the search space to be increased from that presented by default
404	   use of Stateless Autoconfiguration.  Such addresses would be seen
405	   where Secure Neighbour Discovery (SEND) [8] is in use.

407	5.3.  Non-use of MAC addresses in EUI-64 format

409	   The EUI-64 identifier format does not require the use of MAC
410	   addresses for identifier construction.  At least one well-known
411	   operating system currently defaults to generation of the 64 bit
412	   interface identifier by use of random bits, and thus does not embed
413	   the MAC address.  Where such a method exists as an option, an
414	   administrator may wish consider use of that option.

416	5.4.  DHCP Service Configuration Options

418	   The administrator should configure DHCPv6 so that the first addresses
419	   allocated from the pool begins much higher in the address space than
420	   at [prefix]::1.  Further, it is desirable that allocated addresses
421	   are not sequential, nor have any predictable pattern to them.
422	   Unpredictable sparseness in the allocated addresses is a desirable
423	   property.  DHCPv6 implementors should support configuration options
424	   to allow such behaviour.

426	   DHCPv6 also includes an option to use Privacy Extension [3]
427	   addresses, i.e. temporary addresses, as described in Section 12 of
428	   the DHCPv6 [6] specification.

430	5.5.  Rolling Server Addresses

432	   Given the huge address space in an IPv6 subnet/link, and the support
433	   for IPv6 multiaddressing, whereby a node or interface may have
434	   multiple IPv6 valid addresses of which one is preferred for sending,
435	   it may be possible to periodically change the advertised addresses
436	   that certain long standing services use (where 'short' exchanges to
437	   those services are used).

439	   For example, an MX server could be assigned a new primary address on
440	   a weekly basis, and old addresses expired monthly.  Where MX server
441	   IP addresses are detected and cached by spammers, such a defence may
442	   prove useful to reduce spam volumes, especially as such IP lists may
443	   also be passed between potential attackers for subsequent probing.

445	5.6.  Application-Specific Addresses

447	   By a similar reasoning, it may be possible to consider using
448	   application-specific addresses for systems, such that a given
449	   application may have exclusive use of an address, meaning that
450	   disclosure of the address should not expose other applications or
451	   services running on the same system.

453	6.  Conclusions

455	   Due to the much larger size of IPv6 subnets in comparison to IPv4 it
456	   will become less feasible for network scanning methods to detect open
457	   services for subsequent attacks.  If administrators number their IPv6
458	   subnets in 'random', non-predictable ways, attackers, whether they be
459	   in the form of automated network scanners or dynamic worm
460	   propagation, will need to use new methods to determine IPv6 host
461	   addresses to target.  Of course, if those systems are dual-stack, and
462	   have open IPv4 services running, they will remain exposed to
463	   traditional probes over IPv4 transport.

465	   This document has discussed the considerations a site administrator
466	   should bear in mind when considering IPv6 address planning issues and
467	   configuring various service elements.  It highlights relevant issues
468	   and offers some informational guidance for administrators.  While
469	   some suggestions are currently more practical than others, it is up
470	   to individual administrators to determine how much effort they wish
471	   to invest in 'address hiding' schemes, given that this is only one
472	   aspect of network security, and certainly not one to rely solely
473	   upon.  But by implementing the basic principle of allocating
474	   addresses on the basis of unpredictable sparseness, some level of
475	   obfuscation can be cheaply deployed.

477	7.  Security Considerations

479	   There are no specific security considerations in this document
480	   outside of the topic of discussion itself.

482	8.  IANA Considerations

484	   There are no IANA considerations for this document.

486	9.  Acknowledgements

488	   Thanks are due to people in the 6NET project (www.6net.org) for
489	   discussion of this topic, including Pekka Savola, Christian Strauf
490	   and Martin Dunmore, as well as other contributors from the IETF v6ops
491	   and other mailing lists, including Tony Finch, David Malone, Bernie
492	   Volz, Fred Baker, Andrew Sullivan, Tony Hain, Dave Thaler and Alex
493	   Petrescu.

495	10.  Informative References

497	   [1]   Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
498	         Specification", RFC 2460, December 1998.

500	   [2]   Thomson, S. and T. Narten, "IPv6 Stateless Address
501	         Autoconfiguration", RFC 2462, December 1998.

503	   [3]   Narten, T. and R. Draves, "Privacy Extensions for Stateless
504	         Address Autoconfiguration in IPv6", RFC 3041, January 2001.

506	   [4]   Carpenter, B. and K. Moore, "Connection of IPv6 Domains via
507	         IPv4 Clouds", RFC 3056, February 2001.

509	   [5]   Haberman, B. and D. Thaler, "Unicast-Prefix-based IPv6
510	         Multicast Addresses", RFC 3306, August 2002.

512	   [6]   Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M.
513	         Carney, "Dynamic Host Configuration Protocol for IPv6
514	         (DHCPv6)", RFC 3315, July 2003.

516	   [7]   Savola, P. and B. Haberman, "Embedding the Rendezvous Point
517	         (RP) Address in an IPv6 Multicast Address", RFC 3956,
518	         November 2004.

520	   [8]   Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
521	         Neighbor Discovery (SEND)", RFC 3971, March 2005.

523	   [9]   Aura, T., "Cryptographically Generated Addresses (CGA)",
524	         RFC 3972, March 2005.

526	   [10]  Templin, F., Gleeson, T., Talwar, M., and D. Thaler, "Intra-
527	         Site Automatic Tunnel Addressing Protocol (ISATAP)", RFC 4214,
528	         October 2005.

530	   [11]  Huitema, C., "Teredo: Tunneling IPv6 over UDP through Network
531	         Address Translations (NATs)", RFC 4380, February 2006.

533	   [12]  Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/
534	         Co-existence Security Considerations
535	         (draft-ietf-v6ops-security-overview-06)", October 2007.

537	   [13]  Bellovin, S. et al, "Worm Propagation Strategies in an IPv6
538	         Internet (http://www.cs.columbia.edu/~smb/papers/v6worms.pdf)",
539	         ;login:, February 2006.

541	Author's Address

543	   Tim Chown
544	   University of Southampton
545	   Southampton, Hampshire  SO17 1BJ
546	   United Kingdom

548	   Email: tjc@ecs.soton.ac.uk

550	Full Copyright Statement

552	   Copyright (C) The IETF Trust (2007).

554	   This document is subject to the rights, licenses and restrictions
555	   contained in BCP 78, and except as set forth therein, the authors
556	   retain all their rights.

558	   This document and the information contained herein are provided on an
559	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
560	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
561	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
562	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
563	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
564	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

566	Intellectual Property

568	   The IETF takes no position regarding the validity or scope of any
569	   Intellectual Property Rights or other rights that might be claimed to
570	   pertain to the implementation or use of the technology described in
571	   this document or the extent to which any license under such rights
572	   might or might not be available; nor does it represent that it has
573	   made any independent effort to identify any such rights.  Information
574	   on the procedures with respect to rights in RFC documents can be
575	   found in BCP 78 and BCP 79.

577	   Copies of IPR disclosures made to the IETF Secretariat and any
578	   assurances of licenses to be made available, or the result of an
579	   attempt made to obtain a general license or permission for the use of
580	   such proprietary rights by implementers or users of this
581	   specification can be obtained from the IETF on-line IPR repository at
582	   http://www.ietf.org/ipr.

584	   The IETF invites any interested party to bring to its attention any
585	   copyrights, patents or patent applications, or other proprietary
586	   rights that may cover technology that may be required to implement
587	   this standard.  Please address the information to the IETF at
588	   ietf-ipr@ietf.org.

590	Acknowledgment

592	   Funding for the RFC Editor function is provided by the IETF
593	   Administrative Support Activity (IASA).