On 2011-03-10 10:11, Mark Smith wrote: > On Thu, 10 Mar 2011 07:41:48 +1300 > Brian E Carpenter <brian.e.carpen...@gmail.com> wrote: > >> On 2011-03-09 22:18, Mark Smith wrote: >> ... >>> I think you'll be more successful at achieving your fundamental goal by >>> observing and recording their IPv6 address use rather than trying to >>> control it with mechanisms they have the ability to disable. >> Since we defined privacy addresses specifically so that individual >> hosts could reduce their traceability, it seems very controversial >> to do anything that harms that ability. >> >> We did this, people will recall, as a direct result of public concern >> about traceability based on CPU serial numbers and/or MAC addresses. >> >> That refers to traceability on the open Internet, not traceability >> on the LAN. So indeed, as Mark says, this can be solved locally >> by MAC logging (from DHCP or ND). That will not remove the ability >> to use privacy addresses beyond the LAN. >> > > Actually, one of the reasons I've been thinking about this "ND logging" > recently, before these privacy proposals came up, is because of the > criticisms about both stateless and stateful addressing methods > existing in IPv6. > > The common argument from the "stateful-only crowd" seems to be that > they need to have a log of IPv6 address/MAC addresses for audit > purposes, and therefore think they need to have stateful, database > driven addressing to do that, probably because that is how it has > been done in IPv4. I've thought that SLAAC with more detailed ND state > logging, triggered by NUD state changes, would provide them with what > they need, without requiring the additional software infrastructure and > state maintenance that stateful DHCPv6 addressing involves. Although > stateful DHCPv6 clients are becoming far more widely available, all > IPv6 end-nodes are at minimum going to support SLAAC.
Not to mention that such a logging mechanism will detect any hosts that are misbehaving by simply giving themselves arbitrary addresses, which as far as I can see can't be prevented in the general case. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------