Hi Bob - thanks for the quick reply. Three things: 1) If I have autoconfiguration enabled, and I autoconfigure a global-scope address from an RA where the valid lifetime is greater than zero (the usual case certainly), I would normally respond to connections from other nodes at that address. I guess I could use a platform firewall to suppress that. I guess I'd like a switch that says "do not consider autoconfigured addresses valid even if they have a positive valid lifetime", but I think that would put me at odds with the ND specifications. Maybe the platform firewall is a solution.
2) As for the value, I like it when implementers have choices. I hear people talk about the difficulty of scanning a 128-bit addressing space, but it is not hard, if autoconfiguration is in use and the attacker knows a little about an organization, to get that down to more like a 10 OUIs x 2^24 problem. You are right - still significant - but not insurmountable. 3) I got on off-list suggestion that maybe CGA is a potential solution for this, which is a good thought too. John Spence Command Information (HQ: Herndon VA) [EMAIL PROTECTED] -----Original Message----- From: Bob Hinden [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 1:27 PM To: John Spence Cc: ipv6@ietf.org Subject: Re: Is there any provision in privacy addressing, autoconfiguration, or ND specifications to have privacy address and *not have* autoconfigured addresses? John, > I would like the capability to have an interface construct a link- > local > address via some mechanism (EUI-64 from MAC, as an example) as normal, > then configure a privacy address, all without autoconfiguring a > global-scope address from the RA being sent on the subnet (there would > be no valid or preferred global-scope addresses containing the MAC). > This interface would be harder to scan for from off-link, since the > only > valid global-scope address would be a privacy address - no > autoconfigured address embedding FFFE or a small set of OUIs (there > are > probably only a few hundred OUIs really in wide deployment) would be > configured on the interface. First of all, even with the auto-configured addresses, it still very hard to do any kind of scanning. The IEEE mac based interface IDs are very sparse. I don't think anything new is required to do what you want. A node can create auto-configured address and privacy addresses. Which addresses it uses for what purposes is completely under it's control. It doesn't have to use the auto-configured address for communication if it doesn't want to. It could only use the privacy based address if it choose to. > This is not supported today, I do not believe, but I think it would > be a > valuable tool for administrators to have. What is your opinion? I personally don't think this is very useful, but it is allowed under the current specifications. Implementors and/or vendor could easily build in this type of address usage policy if they saw a need or customer requirement. Bob -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------