IPv6�A�h��X�X�L��U��

2020/6/25-1

IPv4�ł́A�A�h��X�X�L��U��|�[�g�X�L��U��͓��I�ɍs��Ă��܂��B �t�@�C�A�E�H�[��Ȃ��̏�ԂŃO��[�o��IPv4�A�h��X�ɐڑ��Ă��΁A��ɍU��ϑ��ł��܂��B

IPv6�ł��A�h��X�X�L��U��͔��Ă��܂��B��̉Ƃ̃l�b�g��[�N�ł��AIPv6�ł̃A�h��X�X�L��_��Ɛ��g��t�B�b�N��ȒP�Ɋϑ��ł��܂��B ��A��܂̂Ƃ��A��̉Ƃł́A��ۂɗ��p��Ă��IPv6�A�h��X��O��甭��ł��Ă��悤�ȃX�L��̌`�Ղ𔭌��ł��Ă��炸�A��ɃX�e�[�g�t��DHCPv6��蓮�ݒ�ł�IPv6�A�h��X��T��Ă��悤�Ɍ��܂��B ��͂�AIPv4�Ɣ�ׂ�ƁAIPv6�̕��IPv6�A�h��X�X�L��U��̓�Փx�͍��̂��낤�Ǝv��܂��B

�Ƃ��ƂŁAIPv6�ł̃A�h��X�X�L��U��A��̑��@�ɂ��āA�ғ��Ă��IPv6�A�h��X��ǂ̂悤�ɒT��̂��Ɋւ��ĉ��Ă��RFC 7707��Љ�܂��B

��̋L��̗��́A��̂悤�ɂȂ��Ă��܂��B

/64�ɑ΂��IPv6�A�h��X�X�L��U��
RFC 7707
IPv6�A�h��X�X�L��U��ɂ��Neighbor�L��b�V��

��̋L��́AYouTube�Ɍf�ڂ��Ɠ��e�ł��B

/64�ɑ΂��IPv6�A�h��X�X�L��U��

�܂��A�Ȃ��IPv6�̕��U��Փx��Ȃ邩�ł��AIPv6�́AIPv4�Ɣ�ׂ�ƁA�T�u�l�b�g�Ƃ��Ďg��IPv6�A�h��X��Ԃ��L�傾��ł��B 128�r�b�g��IPv6�A�h��X�́A�ʏ�́A��64�r�b�g��T�u�l�b�g�v��t�B�b�N�X�Ƃ��A��64�r�b�g��C��^�[�t�F�[�X��ʎq�Ƃ��Ĉ��܂��B /64�̃l�b�g��[�N�v��t�B�b�N�X�ŃT�u�l�b�g��^�p��Ă��킯�ł��B

��ɂ��āAIPv6�ł̂��̃T�u�l�b�g��2��64��IPv6�A�h��X��ԂɂȂ�܂��B IPv4�A�h��X��32�r�b�g�ł��AIPv6�̓T�u�l�b�g��Ŕ{�̃r�b�g��64�r�b�g�ł��B ��́AIPv4�C��^�[�l�b�g�S�̂̃A�h��X��Ԃ̖�43��{�̃A�h��X��Ԃ��AIPv6�ł̓T�u�l�b�g��Ŏg��Ă��Ƃ��Ƃł��B

��Ƃ��΁A��[�^1��ɑ΂��ăp�\�R��1��݂̂��ڑ��ꂽIPv6�T�u�l�b�g��Ƃ��܂��B �p�\�R��ɐݒ肳��Ă��O��[�o��IPv6�A�h��X��1��ꍇ�A�O��牽�̃q��g��Ȃ��ԂŃA�h��X�X�L��U��ꍇ�AIPv4�C��^�[�l�b�g�S�̂�43��{�̃A�h��X��Ԃ̒��p�\�R��1��Ŏg��Ă��O��[�o��IPv6�A�h��X��T��ƂɂȂ�킯�ł��B

��̂悤�ɁAIPv6�ł́A�A�N�e�B�u��IPv6�A�h��X�𔭌��̂��AIPv4�Ɣ�ׂĔ��ɑ�ςł��B ��̂��߁A�O��IP�A�h��X�X�L��U��AIPv4��AIPv6�̕��Ȃ�܂��B

��̌��̈��͍U��𐬌��Փx��㏸��Ƃ��_��܂��A��ɁANDP�ւ�DoS�U��ɂȂ�\��Ƃ��_��܂��B NDP�ւ�DoS�U��Ɋւ��ẮA�㔼�ɉ��܂��B

RFC 7707

RFC 7707�́AIPv6�A�h��X�X�L��U��Ȃǂɂ��āA�O��̃A�N�e�B�u��IPv6�A�h��X��T��@�ȂǂɊւ��Ę_��Ă��܂��B

RFC 7707�̃^�C�g��́A�uNetwork Reconnaissance in IPv6 Networks�v�ł��AReconnaissance�Ƃ��p�P��͒�@�A��A�\��Ȃǂ̈Ӗ��p�P��ł��B ��̍U��̂��߂̒�@��A�z��^�C�g��ƌ��ł��B

�Ȃ��ARFC 7707�ł́Aing��uIPv6 address scanning�v�ɂȂ��Ă��܂��A��̋L��ł́uIPv6�A�h��X�X�L��v�ƕ\��Ă��܂��B

��āARFC 7707�ł́A�ȉ��̂悤�ȕ��͂��܂��B

significantly lower IPv6 host density is likely to make classic network address-scanning attacks less feasible, since even by applying various heuristics, the address space to be scanned remains very large.

�i��jIPv6�z�X�g��T�u�l�b�g��Ɋ܂܂�閧�x��Ⴂ��߁A�Â��@�ł̃A�h��X�X�L��U��ɂ��ʂ͒Ⴍ�Ȃ��Ă��B�l�X�ȃq��[��X�e�B�N�X��p��Ƃ��Ă��A�X�L��s��A�h��X��Ԃ͔��ɑ傫��B

�v�́AIPv4�Ɣ�ׂăT�u�l�b�g�̃A�h��X��Ԃ��L��IPv6�ł́AIPv4�Ɠ��l�̕��@�ŃA�h��X�X�L��s��Ƃ͊ȒP�ł͂Ȃ��A�Ƃ��Ƃł��B

��ARFC 7707�ł́A�ȉ��̂悤�ɂ��Ă��܂��B

�i��jIPv6�ł́A�A�h��X�X�L��U��ɂ��ʂ��Ⴍ�Ȃ��Ă��̂́A�K�؂ȃq��[��X�e�B�N�X�ɂ��Ă͉\�ł��

RFC 7707�́A�ȉ��̓��e�Ȃǂ��Љ�Ă��܂��B

IPv6�A�h��X�Ƃ��Ăǂ̂悤�Ȓl��ݒ肳��̂�
��u��̃A�h��X�X�L��
��[�J��l�b�g��[�N��̃A�h��X�X�L��
�A�h��X�X�L��s��߂̊��c�[��
IPv6�A�h��X�X�L��U��ɑ΂��ɘa��

�܂��AIPv6�A�h��X�Ƃ��Ăǂ̂悤�Ȓl��ݒ肳��邩�A�ł��A��m�邱�ƂŁAIPv6�A�h��X�X�L��s��ΏۂƂȂ�A�h��X��Ԃ��i�荞�ނ��Ƃ��\�ƂȂ�ꍇ��܂��B

IPv6�A�h��X��ݒ�̕��@�ɂ�2��ނ��܂��B SLAAC��K�{�Ƃ��Ă��ADHCPv6�̓I�v�V��i��ł��A��Ƃ��Ă��V�X�e��܂��B ��L��ނ�IPv6�A�h��X�̐ݒ��@�Ɋւ��̂Ȃ̂ŁAIPv6�A�h��X�ݒ��SLAAC�ōs��X�e�[�g��XDHCPv6��A��ނƂ��Ă�SLAAC�ɓ��܂��B ��L�_�_�ł�DHCPv6�́A�X�e�[�g�t��DHCPv6�ł��B

SLAAC�A�X�e�[�g�t��ƃX�e�[�g��X��DHCPv6�Ɋւ��鑍�_�́A�ȑO��ȉ��̓��B

�܂��ASLAAC�̏ꍇ��Љ�܂��B

SLAAC��Modified EUI-64��IPv6�A�h��X�ɗ��p��ꍇ�ɂ͏��6�r�b�g�߂ɂ��universal/local�r�b�g�� 1�ɂȂ邱�ƁA48�r�b�g��MAC�A�h��X�ŁAOUI�Ǝc��̃r�b�g�̊Ԃ�0xfffe��}��邱�ƂȂǂ𗘗p��āA�A�h��X�X�L��s��Ώۂ��i�荞�߂�Ƃ��Ă��܂��B

�܂��AMAC�A�h��X��ɂ��Modified EUI-64��IPv6�A�h��X��Ă��āA��A�l�b�g��[�N�C��^�[�t�F�[�X�̃x��_�[��炩��߂킩��Ă��ꍇ�A�A�h��X�X�L��s��ΏۂƂȂ�A�h��X��Ԃ́A64�r�b�g�ł͂Ȃ�24�r�b�g�܂Ō��RFC 7707�ɂ��܂��B

MAC�A�h��X��ɂ��C��^�[�t�F�[�X��ʎq��̃o��G�[�V��̂ЂƂƂ��l��܂��A�X�L��Ώۂ��z��Z�p�𗘗p��Ă��A��MAC�A�h��X��ɂ��Modified EUI-64��IPv6�A�h��X��Ă��邱�Ƃ��炩��߂킩��Ă��ꍇ�A�A�h��X�X�L��s��ΏۂƂȂ�A�h��X��Ԃ�傫��i�荞�߂�\��܂��B

��ɁA�A�h��X�X�L��Ώۂ��T�[�o��z��Z�p��g��Ă��ꍇ�AOUI�Ƃ��ė��p��x��_�[��x�܂ōi�荞�߂�ꍇ��܂��B

RFC 7707�ł́AVirtualBox�AVMWare ESX Server�AVMWare vSphere�ŗ��p��Ă��OUI�ƂƂ��ɁAMAC�A�h��X�̎��@��Љ��Ă��܂��B

VirtualBox�̏ꍇ�AOUI�� 08:00:27 ��MAC�A�h��X��邽�߁A�C��^�[�t�F�[�X��ʎq�ł��IPv6�A�h��X�̉��64�r�b�g�́Aa00:27ff:feXX:XXXX �ɂȂ�܂��B �A�h��X�X�L��s��Ƃ��A��̃o�c��24�r�b�g��ɑ΂��čs��ƂɂȂ邽�߁A64�r�b�g��24�r�b�g�ւƍi�荞�߂�킯�ł��B

VMware ESX Server�̃o�[�W��1.0��2.5��MAC�A�h��X��ꍇ�AOUI�� 00:05:69 �ƂȂ�A��16�r�b�g�̓R��\�[��I�y��[�e�B��O�V�X�e��̃v��C�}��IPv4�A�h��X�̉��16�r�b�g�Ɠ��̂ɂȂ�A�Ō��8�r�b�g��VM�̐ݒ�t�@�C��̖��O�ɑ΂��n�b�V��l�ɂȂ邽�߁A�󋵂ɂ��ẮA�A�h��X�X�L��s��Ώۂ̃A�h��X��Ԃ�64�r�b�g��8�r�b�g�܂ōi�荞�߂��RFC 7707�ɏ��Ă��܂��B

��̑��ɁAVMWare ESX Server��MAC�A�h��X��蓮�ݒ肷��ꍇ��AVMware vSphere��MAC�A�h��X��ݒ肳��ꍇ�ƁA�蓮�ݒ肳��ꍇ�ɁA�ǂ̂悤�Ȓl�ɂȂ�̂��ARFC 7707�ɏ��Ă��̂ŁA��̂��邩��́A��A��B

�X�e�[�g�t��DHCPv6��蓮�ݒ�ł��Ƃ��΁A2001:db8::1 �̂悤�ɃC��^�[�t�F�[�X��ʎq�̏�ʃr�b�g�̑��0�Ƃ��ݒ肪��ƂȂǂ��A�X�L��Ώۂ̃A�h��X��i�荞�ނ̂ɗ��p�ł��A��RFC 7707�ŏЉ��Ă��܂��B

��̉Ƃɗ��Ă��IPv6�A�h��X�X�L��U��ώ@��Ƃ��A�C��^�[�t�F�[�X��ʎq�̏��48�r�b�g��0��A��悤�ȃA�h��X��W��X�L��Ɠ��ɁA��48�r�b�g��1��A��悤�ȃA�h��X��W�ɑ΂��X�L��s��Ă��܂��B


2001:db8::1 - 2001:db8::ffff
2001:db8::ffff:ffff:ffff:1 - 2001:db8:ffff:ffff:ffff:ffff

RFC 7707�ł́A�O��l�b�g��[�N��̃A�h��X�X�L��U��ł́Atemporary IPv6�A�h��X��p��Ă��ꍇ�ł��Ă�stable�A�h��X��ݒ肳��邽�߁Astable�A�h��X��MAC�A�h��X��琶��Ă��ꍇ�ɂ́Atemporary IPv6�A�h��X��g��Ă��邱�Ƃɂ��āAModified EUI-64��̐��ɑ΂��΍�ɂȂ�킯�ł͂Ȃ��Ƃ��Ă��܂��B

��IPv6�A�h��X��ЂƂ̃l�b�g��[�N�C��^�[�t�F�[�X�� ݒ肳��̂́Atemporary IPv6�A�h��X��ł͂��܂��B

��Ƃ��΁ARA��Managed Address configuration�t��O��Other configuration�t��O�̗��1�ɂȂ��Ă��ꍇ�A�X�e�[�g�t��DHCPv6��SLAAC�̗��IPv6�A�h��X��ݒ肳��邱�Ƃ��܂��B

RA�Ɋ܂܂��t��O�Ɋւ��ẮA��́A�ȑO��RA�̉��B

�X�e�[�g�t��DHCPv6�T�[�o�̐ݒ�ɂ��Ă͊O��琄��₷��IPv6�A�h��X��ݒ肳��Ă��܂��ꍇ��܂��B

��قǏЉ��A��̉Ƃɑ΂��A�h��X�X�L��U��A��炭�A�X�e�[�g�t��DHCPv6�ɂ��Đݒ肳�ꂽIPv6�A�h��X��_��Ă��Ǝv��܂��B

��̂悤�ɁARFC 7217�̕��@��Modified EUI-64��g�킸��stable��IPv6�A�h��X��ݒ肵��Ƃ��Ă��A�O��甭��₷��l��X�e�[�g�t��DHCPv6�ɂ��ē��ɐݒ肳��Ă��܂��ꍇ��킯�ł��B ��u��IPv6�A�h��X�X�L��U��́A�z�X�g�ɐݒ肳�ꂽ�O��[�o��IPv6�A�h��X��ǂꂩ�ЂƂ��ł��Ηǂ��Ƃ��l��̂ŁAMAC�A�h��X��ɂ��IPv6�A�h��X��Ȃ��Ƃ��Ă��A��48�r�b�g��S��[��IPv6�A�h��X��ɐݒ肵�Ă��΁A�O��琄��Ă��܂��ꂪ��Ȃ��Ă��܂��܂��B

RA��Managed Address configuration�t��O��Other configuration�t��O�̗��1�ɂȂ��Ă��́A��Ɛg�߂ɂ��̂ŁA��邩��͐��񂨎茳�̊��Ŋm�F��Ă݂Ă��B RA��wireshark�Ŋm�F��Ă��ǂ��ł��Aipconfig�Aifconfig�Aip�Ȃǂ̃R�}��h��g��āA�l�b�g��[�N�C��^�[�t�F�[�X�ɐݒ肳�ꂽIPv6�A�h��X�̐��Ɠ��e��`�F�b�N��邱�Ƃł��킩��܂��B

RFC 7707�ł́AIPv6�A�h��X�Ƃ��Đݒ肳��l�Ɋւ��Љ��s�Ȃ��ŁA��u��̃A�h��X�X�L��U��s��ɁA�X�L��Ώۂ��i�荞�ނ��߂ɗ��p��邱�Ƃ��\�ł��邱�Ƃ��Љ�Ă��܂��B

�܂��A��u��̃A�h��X�X�L��U��Neighbor�L��b�V��ւ�DoS�U��ɂȂ�ꍇ��邱�Ƃ��Љ�Ă��܂��B

��[�J��l�b�g��[�N��̃A�h��X�X�L��

��[�J��l�b�g��[�N�ł̃A�h��X�X�L��ł��΁A�S�m�[�h��N��[�J��}��`�L��X�g�A�h��X�ł�� ff02::1 �ɑ΂��ICMPv6 Echo��N�G�X�g�𑗂�Ƃ��@��܂��B

��Aff02::1�ɑ΂��ICMPv6 Echo��N�G�X�g�ɂ��ē��̂́A��N��[�J��A�h��X�ł��邱�Ƃ�AWindows�V�X�e��}��`�L��X�g�ɑ΂��ICMPv6 Echo��N�G�X�g�ɉ񓚂��Ȃ��ƂȂǂ�RFC 7707�ŏЉ��Ă��܂��B

��̑��AIPv6�A�h��X�𔭌��@

RFC 7707�́AIPv6�A�h��X�X�L��U��ȊO�ɂ��A�A�N�e�B�u��IPv6�A�h��X�𔭌��@�� Љ�Ă��܂��B

��Ƃ��΁A�ȉ��̎�@��Љ��Ă��܂��B

DNS�ɓo�^��ꂽ��̂�T��
��J��ꂽ��[��A�[�J�C�u��T��
P2P�A�v��P�[�V��擾��
�l�C�o�[�L��b�V��⃋�[�e�B��O�e�[�u��擾��
SNMP��擾��
�g��t�B�b�N�X�k�[�s��O
traceroute6�Ń��[�^�Ȃǂ�IPv6�A�h��X��擾��

�Ȃ��ɂ́A�^�[�Q�b�g�Ɠ��T�u�l�b�g�ւ̃A�N�Z�X��K�v��A��̃A�N�Z�X��K�v�ƂȂ�悤�Ȃ��̂��܂��A��낢��ȕ��@��ƏЉ��Ă��̂ŁA��邩��RFC 7707��񂭂��B

Mitigations

RFC 7707�̍Ō�̂ق��ŁAIPv6�A�h��X�X�L��ɑ΂��~�e�B�Q�[�V��imitigations/�ɘa��j��Љ��Ă��܂��B

IPv6�p�P�b�g�ɑ΂��t�B��^��ݒ�ł��ꏊ��΁A��ݒ肷�邱�Ƃ�AMAC�A�h��X��ɂ��IPv6�A�h��X��s��Ȃ��ƁA�o�[�`��}�V��ł͐��₷��MAC�A�h��X��邽�߂�MAC�A�h��X��蓮�ݒ肷�邱�ƂȂǂ��Ă��܂��B RFC 8064�ɂ��āAMAC�A�h��X��ɂ��IPv6�A�h��X��񐄏��ɂȂ�܂��A�O��̃A�h��X�X�L��ɗ��p�ł��邱�Ƃ��A�񐄏��ƂȂ��R�̂ЂƂł��B

��ARFC 7707�ł́A�ȉ��̂悤�ɁAIPv6�A�h��X�X�L��ɑ΂��~�e�B�Q�[�V��́A��ǂ��ǁA�K��ŗD��Ƃ܂ł͌��Ȃ��ꍇ��Ƃ��Ă��܂��B

there are scenarios in which mitigation of some address-scanning vectors is unlikely to be a high priority

�i��j��̃A�h��X�X�L��@�ɑ΂��~�e�B�Q�[�V��́A�D��x��Ȃ��Ɛ��ꍇ��܂��B

��ɁA�킩��ɂ��邱�Ƃɂ��Z�L��e�B�́A��ꎩ�g��h��Ƃ��킯�ł͂Ȃ��A�Ƃ��Ă��܂��B

�i��j��ɂ��邱�Ƃɂ��Z�L��e�B��̂��̂́A�h�䂻�̂��̂Ƃ��ĈӖ��킯�ł͂Ȃ��Ƃ��_�͖Y��ׂ��ł͂Ȃ�

�B��Ă킩��ɂ��邱�Ƃ́A�Z�L��e�B��ɂ��A�h��w�̂ЂƂł��Ȃ��A�Ƃ��킯�ł��B

IPv6�A�h��X�X�L��U��ɂ��Neighbor�L��b�V��

RFC 7707�ł́A�A�h��X�X�L��U��[��[�^�ւ�DoS�U��ɂȂ�ꍇ��Ƃ��p��IPv6�ł͑��݂��Ă��Ƃ��Ă��܂��B ��́AIPv6�ŗL�̖��ŁAIPv4�ł́A�N��Ȃ��ł��B

��̖��́ARFC 6583�ŏڂ��Ă��܂��A��̋L��ł́A��ƊT�v��āA�ڍׂ͊��܂��B

�܂��ANeighbor�L��b�V��ł��AIPv6�ł́AIPv6�A�h��X�ƃ��N�w�A�h��X�̑Ή��Â��f�[�^��Neighbor�L��b�V��ƌĂт܂��B ��[�^��IP�p�P�b�g��]��Ƃ��ɁANeighbor�L��b�V��K�v�ɂȂ�܂��B

��[�U��ڑ��Ă��T�u�l�b�g��\��Ă��閖�[��[�^��IPv6�A�h��X�X�L��ړI�̃p�P�b�g��󂯎��Ƃ��Ă܂��B �N��p��Ă��Ȃ�IPv6�A�h��X��Ƃ��p�P�b�g��󂯎��[��[�^�́A��̈��IPv6�A�h��X�Ɋ֘A��Neighbor�L��b�V��Ă��Ȃ��̂ŁA��N�w�A�h��X��邽�߂̃v��Z�X��J�n��܂��B ��̂Ƃ��AINCOMPLETE(�s��S)�Ƃ��X�e�[�g��Neighbor�L��b�V��܂��B

��A��[��[�^��s�Ȃ��Ă��A�h��X��́A��݂��Ȃ�IPv6�A�h��X�ɑ΂��ĂȂ̂ŁA��̃��N�w�A�h��X��邱�Ƃ͂��܂��B IPv6�A�h��X�X�L��U��́A��݂��IPv6�A�h��X��T��߂ɁA��݂��Ȃ��ʂ�IPv6�A�h��X��Ẵp�P�b�g�𑗐M��܂��̂ŁA��[��[�^�ł́A��݂��Ȃ�IPv6�A�h��X�ɑΉ��郊��N�w�A�h��X�̉��v��Z�X��ʂɑ��邱�ƂɂȂ�܂��B ��ɂ��A��[��[�^��NDP��ɓ��삵�Ȃ��Ȃ��Ă��܂��Ƃ��肪��邱�Ƃ��܂��B

RFC 6583�ł́A��\��Ⴂ�R��s��[�^��nmap��4�Z�b�V��s��ƂŁA��[��[�^�ł�NDP�𗘗p�s�\�Ɋׂ点�A��̖��[��[�^��T�[�r�X��񋟂��Ă��T�u�l�b�g�ւ̓��B��Ȃ��Ȃ��Ă��܂��Ƃ��܂��B

��̂悤�ɁAIPv6�A�h��X�X�L��NDP�ւ�DoS�U��ɂȂ��Ă��܂��Ƃ��肪��܂��B

�Ō��

�ȏオ�AIPv6�ł̃A�h��X�X�L��U��Ɋւ��Ăł��B

IPv6��IPv4�́A��ړI�Ȍ݊��Ȃ��قȂ�v��g�R��ł��AIP�A�h��X�X�L��U��̎�@��e��ł��AIPv6��IPv4�̈Ⴂ��o��Ƃ��̂́A��ɋ��[��ƌl�I�ɍl��Ă��܂��B

�ŋ߂̃G��g��

�ߋ��L��

�ߋ��L��ꗗ

��IPv6��(488�y�[�W)�𖳗��z�z��܂��I

IPv6�A�h���X�X�L�����U��

/64�ɑ΂���IPv6�A�h���X�X�L�����U��

RFC 7707

���[�J���l�b�g���[�N����̃A�h���X�X�L����

���̑��AIPv6�A�h���X�𔭌������@

Mitigations

IPv6�A�h���X�X�L�����U���ɂ��Neighbor�L���b�V�������