Eliot Lear writes: > Alain, > > Ipv6 address will be much more stable > > than EUI64. > > But, more importantly, they will be centrally assigned, ie can be > > propagated > > to places that maitain ACLs. > > > > Just because one receives a DHCP-assigned address doesn't mean one will > use it, and so such "security" is fraught with risks. I'm not say it's > impossible, but great caution is needed when going in this direction.
I think that has the evaluation a bit backwards. It isn't that the "unknown" addresses will have any additional privileges, but rather that the centrally-assigned (DHCP-managed) ones will work better in that environment because they'll match up with the centrally-administered network configuration. For example, some addresses may have nice-looking reverse DNS entries, while others do not. Obviously, anyone who wants to can spoof an address on a link and thus pick up the features of one of those known addresses. But, then, both NDP and RAs are insecure as well, so it's hardly a surprise that it does matter who is allowed to attach to a given link. The risk being cited here is of falling into an "unusable" address, or at least one that works poorly, and not an attempt to foster any sort of security-by-IP-address mechanism. -- James Carlson, KISS Network <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
