Hi Pekka, On Mon, 3 Jan 2011 11:51:38 +0200 (EET) Pekka Savola <pek...@netcore.fi> wrote:
> Hi, > > Operational input: when discussing the use of RFC4941 (privacy) addresses > with > our LAN/workstation admins, it seemed as if there would be great benefit from > being able to specify an RFC3484 rule which would in essence say: > > "do not use privacy addresses when communicating inside the site [a set of > designated destination prefixes], use it by default otherwise" > I'd be curious what the benefits are. The only reason I could think of as to why to do this is to be able to associate internal application access logs with internal hosts. At face value that sounds useful, however if you really care about auditing application access and use, it isn't the hosts you need to worry about, but the people behind them - and they can usually easily change hosts. So I think those applications should be using proper AAA to identify the user, rather than using IPv6 host identifiers as very poor substitutes for user identities. > I don't think this is possible today because rfc3484 policy table only allows > matching by prefixes, not by address type. > > Has this come up in discussions / has anyone else thought about this? > Regards, Mark. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
