On Fri, 4 Mar 2011, RJ Atkinson wrote:
IPv6 addresses formed using any MAC address belonging to a given node (i.e. in modified EUI-64 form per the RFCs) does entirely meet the user audit needs for the users I am aware of (and previously summarised).
And how do you know the host didn't make up a new address because it needed to for some reason? It doesn't have to be privacy extension. SLAAC leaves it up to the host to do what it want, it can take any address not currently in use by someone else.
One might or might not like the proposal, but the above quote from Mikael is NOT accurate, at least for the user deployment audit needs that I am aware of.
SLAAC is by definion host-controlled. You use the term "audit" in a way I don't really understand (though I am not a native english speaker so I could very well be wrong).
If you want to be sure who did what when, you need centrally controlled IPv6 address hand-out (DHCPv6 is the only one I am aware of for IPv6) plus something that makes sure user can't source any other traffic, such as the SAVI-WG functionality IP/MAC address verification schemes.
Please do not put more functionality into RA than what is absolutely needed. If you need to know what host had what IP address at what time, disallow SLAAC and run DHCPv6.
-- Mikael Abrahamsson email: swm...@swm.pp.se -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
