Private ipv4 addresses as a security reason not to convert to ipv6?

Posted on June 13, 2011 by jimmy — No Comments ↓

I while ago I got into a discussion with one of my customers regarding ipv6. He told me that one reason not to migrate to ipv6 was for security.

– I dont want to tell the entire world what IP addresses I have on my servers. And when using ipv4 and NAT my internal ip addresses are hidden.

The discussion was interrupted and I didnt get any chance to finish it.

When using private ipv4-addresses on your LAN i can assume that you have any of these addresses:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

So, how many addresses do you have to choose from? Lets count (roughly!):

10.0.0.0/8, that is 256 * 256 * 256 addresses, 16 777 216 available addresses
172.16.0.0/12, that is 16 * 256 * 256 addresses, 1 048 576
192.168.0.0/16, that is 256 * 256 addresses, 65 536.

That gives us a total sum of 17 891 328 available addresses. That´s a lot, isnt it?

But what if you get yourself a nice little pool of ipv6-addresses? For various reasons we can be pretty sure that you will get a /48 network from your ISP. Then you will probably divide this into one or many /64-networks on your internal LAN. So, how many addresses are there available?

First of all, dividing that /48-range into /64-subnets will give you 65536 different available networks. Next, an ipv6-address is 128 bits long. With 64 bits for specifying the network part you will have 64 bits left for addressing each individual host on your internal network. And 64 bits gives us 18446744073709551616 unique combinations. So that is how many addresses you have available in each subnet when using ipv6.

So, if you see it as a security benefit to hide your sensitive servers addresses, which do you prefer? ipv4 or ipv6?

If a hacker would portscan your ipv6-range, how long will it take? Lets assume that he scans 100 addresses per second, then it will take him 5 849 424 173 years(*). And that should be compared to the 50 hours it will take to port scan all private ipv4-addresses mentioned above.

And besides. That attack would probably be performed from internet. How many public ipv4-addresses do you have? It will be enough to portscan them. 100 addresses per seconds, you do the math. 🙂

/Jimmy

Tagged with: Ipv6, security
Posted in Cisco Security

Leave a Reply Cancel reply

Cisco ASA hairpinning

Cisco Pix/ASA hairpinning The term hairpinning comes from the fact that the traffic comes from one source into a router or similar devices, makes a U-turn and goes back the same way it came. Visualize this and you see something that looks like a hairpin. Hairpinning is only relevant when the firewall is in routed mode since the "turnaround" of Continue Reading →

Cisco ASA Anyconnect licensing for dummies, updated!

The picture below should be self-explaining. Click it for a larger version. Edit 2014: There was some errors in the logics around AEA-licenses. The picture below is now corrected. Please do not use the old version (v1.1). Let me explain this. First of all, Advanced Endpoint Assessment (AEA) is a feature where you can do advanced posture checks Continue Reading →

Private ipv4 addresses as a security reason not to convert to ipv6?

Leave a Reply Cancel reply

New posts

Popular Posts

Signuppp

Private ipv4 addresses as a security reason not to convert to ipv6?

Leave a Reply Cancel reply

New posts

Popular Posts

Tags

Signuppp