On Wed, 20 Oct 2004, Suresh Krishnan wrote:
> >Has the protection from your ISPs and federal agencies etc. really
> >been the requirement/goal from the start?
>
> On-path does not have to be FBI/NSA or ISPs. It can be anyone on an
> upstream network (even in the same organization as the user). I would
> assume if the FBI/NSA or the ISPs wanted to intercept they could do
> so at the layer 2 connection to the provider. Do you want me to add a
> statement about lawful intercept still being possible?
It doesn't need to be about lawful intercept, but I'd add something
about the power of being on the path, maybe like:
o An attacker who is in the path between the node in question and
the peer(s) it is communicating to, and can view the IPv6
addresses present in the datagrams.
However, note that such on the path
attacks are likely able to perform significant correlation
even with RFC 3041 addresses especially if the payloads are not
encrypted.
> >As far as I can see, it's exactly the opposite -- privacy extensions
> >should not be enabled by default for ULAs.
>
> This is already the case. Privacy extensions are disabled by default for
> ALL types of global addresses (including the ULA).
Yes, it's not default -- but what I want to have is being able to
distinguish between "enabling privacy for all prefixes" and "enabling
privacy for global range prefixes".
I.e., the implementations, when privacy is enabled, should not start
using privacy extensions by default for ULA addresses, but doing so
might be configurable.
I think that would be in line with most ULA users' goals.. too bad
it's relatively difficult to unambugously say what those global,
non-ULA addresses should be called..
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[EMAIL PROTECTED]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
