The IPv6 address space is huge. On paper each IPv6 subnet (/64) supports more than 18.4 quintillion hosts (millions, billions, trillions, quadrillions and then quintillions). It’s an amazingly large number. By every conceivable measure today we can’t contemplate a situation where anything but the tiniest portion of that address space will actually be utilized. Assuming you never have more than a few hundred nodes on each local segment (a common and best practice using today’s technologies) the randomly generated addresses of your nodes are effectively hidden within the total number of possibilities. Actually finding one of your nodes using an ICMP ping sweep becomes almost impossible. We are no longer talking about playing the networking equivalent of Where’s Waldo?, that would be easy. This is something completely different.
If your nodes randomly generate their host ID and do not use the MAC address as seed material there are a total of 64-bits of randomness. If you do use your 48-bit MAC address there are only 48-bits of actual randomness (the 81’st -96th bit are set to 0xFFFE when your MAC address is used). Newer versions of Microsoft (Vista and beyond) randomly generate their entire 64-bit host ID. Most Linux distros with which I am familiar (Ubuntu is my daily desktop) still use the MAC address. And my MacBook, which runs OS X (10.6.7) also still uses the MAC address. My iPhone 3GS (ver. 4.0.1) and my iPad (ver. 3.2.1) are also using FFFE.
Assuming that addresses are not statically configured (or assigned in a linear fashion by a DHCP server) the likelihood that someone will ever enumerate the nodes on your network is incredibly small. This is discussed in detail in RFC 5157 and in a nice piece written by Sean Convery and Darrin Miller. By most measures this suggests that ping sweeping as we know it will become a thing of the past. Does this mean that security-folk can or should stop blocking ICMP traffic at key points in their networks? That’s highly debatable. Path MTU Discovery (PMTUD) and the implications it has on packet size are more important considerations for that particular discussion (which I will save for another day).
If you take the time to read RFC 5157 or the Convery/Miller piece you will see that it is expected to take an incredibly long time to enumerate the nodes on a network. Convery and Miller offer scenarios that illustrate how an uber-aggressive sweep using tools that don’t yet exist will still take dozens of decades to complete. RFC 5157 offers numbers from a much less motivated sweeper who will need a few billion years to make call the enumeration complete. But how about you and your network? Wanna’ see how long it will take for your situation? Well, I have made a simple spreadsheet that will let you fiddle with the numbers so you can see just how long it is going to take to ping sweep each of your IPv6 network segments. Here it is:
Calculating Practical Feasibility of Scanning IPv6 Subnets
Enjoy!
Colin Weaver
