[BBLISA] IPv6 as a security improvement?

[Edward Ned Harvey (bblisa4)]

> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Bill Bogstad
> 
> Is this an example of security through obscurity actually working?

It's a case of "The attackers have yet to adopt tactics to do this."

If IPv6 addresses used the entire 128 bits, *and* clients could randomly chose their own IP, then you would get actual security through obscurity. (Just as you have security through obscurity when you keep your 128-bit encryption key private). It's not called "security through obscurity" when you have *actual* security, by keeping a private secret, without which it is infeasible for the attacker to attack you. Then we just call it "secure."

But neither of these assumptions is correct - The number of bits of an IPv6 address that are actually used for addressing varies, based on the type of address (local link only, etc) but a realistic best case for a public address might have 70 or so bits of variability, and the rest predictable. In practice, the number of unknown bits is probably much smaller, like 40-50 or so, because IPv6 addresses aren't globally distributed at random. I don't know what patterns to look for, myself personally, but I'm pretty sure if you wanted to target IP's in China, or IP's in the US, etc, you could identify some ranges, just as you can now with IPv4.

If a lot of systems (relative to IPv4) start using IPv6 exclusively, attackers will gather all the missing information from the above paragraph, and start systematically scanning the IPv6 space just like they do IPv4.

That being said, there *is* a real security benefit, because hacking, like everything else, is a cost-benefit analysis. It will cost more for attackers to scan and attack the IPv6 space.