On Fri, 2011-03-04 at 13:55 -0500, RJ Atkinson wrote: > Existing RA flags control whether SLAAC is allowed > or DHCP is required
I don't think they do. They inform the host about whether SLAAC *should* be done, or whether DHCP *could* be done, but do not *control* the host in any way. > If a significant number of systems use the "privacy-mode" addressing, > that confidence interval is not achievable. In my ignorance I may be being over-confident, but it seems to me that some very basic NDP snooping in routers would enable logging of every active address - when it became active and the last time it was seen, along with layer-2 info for the address. Such features don't exist yet, of course... er, do they? > I'm told that some users already are using implementation-specific > configuration mechanisms (e.g. apparently a MS-Windows "Registry" > setting) that allow SLAAC, but disallow the privacy extension. If that setting is on the host, it's toast in the hands of a Bad Guy. But using your sense of "audit" I guess that's not too bad. > This proposal would provide an platform-independent way > to configure that sort of knob, which knob apparently exists > now within an interesting number of deployed end systems. Again - a knob only useful for well-behaved systems hosts. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
signature.asc
Description: This is a digitally signed message part
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
