Comment at the end. John Spence wrote:
So, let me revise my comment, focusing on requirements. I would like the capability to have an interface construct a link-local address via some mechanism (EUI-64 from MAC, as an example) as normal, then configure a privacy address, all without autoconfiguring a global-scope address from the RA being sent on the subnet (there would be no valid or preferred global-scope addresses containing the MAC). This interface would be harder to scan for from off-link, since the only valid global-scope address would be a privacy address - no autoconfigured address embedding FFFE or a small set of OUIs (there are probably only a few hundred OUIs really in wide deployment) would be configured on the interface. This could be accomplished, I think, by allowing the node to passively listen to RAs, to learn the valid /64 prefixes assigned to the link, and then global-scope privacy addresses could be configured. Perhaps the node could allow a configuration option like "USE_PRIVACY_ONLY=yes". Other interfaces on other nodes on the subnet could use autoconfiguration, either with or without privacy addresses, as desired. The result would be a privacy address that not only protected my privacy for outbound sessions, but improved my stealthly-ness from off-link attackers as well.
This is not supported today, I do not believe, but I think it would be a valuable tool for administrators to have. What is your opinion?
This sounds remarkably like you are trying to recreate RFC1918 addresses to me or to mimic NAT. Both of which are (currently) being kept out of IPv6. please see draft: IPv6 Network Architecture Protection http://www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-03.txt for an explination as to why these are not encouraged in IPv6.
Eric
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
