On Fri, Mar 11, 2011 at 08:01, Mark Townsley <m...@townsley.net> wrote: >> On Mar 11, 2011, at 3:32 AM, Christian Huitema wrote: >> >> I'm saying the reasons people are tempted to disable RFC4941 are >> misplaced. >> >> +1 >> >> Consider that if I want privacy and you won't let me use RFC4941, I >> might just make up a new MAC address each time I connect. >> >> Consider also the effect of unique identifiers on tracking. The MAC >> address follows you when you roam. By embedding it in the IPv6 >> address, we are effectively offering a "super cookie" to all web >> services. Is it really what we want? In addition to privacy issues, >> displaying the MAC address allows third parties to track hardware >> purchase, and enables other attacks by providing the data necessary >> for MAC spoofing. In short, it looked like a great idea at the >> time... but wasn't. > > One person's attack is another's targeted ad business case ;-) > > That aside, the considerations proposed in this document may be > relevant to this discussion: > > http://tools.ietf.org/html/draft-brim-mobility-and-privacy-00 - Mark
Since you called it out :-) ... I think less in terms of privacy than confidentiality scopes. Privacy is the right to withhold information. Confidentiality is an agreement that a second party will honor your wish for privacy from others, i.e. that information you give them will not be given to others. We give others information all the time, including hardware addresses. Confidentiality issues are at least as important as privacy. Forcing people to reveal information to a larger scope than they wish, i.e. forcing loss of privacy, is a significant issue that must be taken into account by everyone doing protocol work. If we design our systems so that non-privacy addresses used locally must be also be used globally, we are designing away the possibility of both privacy and confidentiality. Requiring an end user to use a MAC or any persistent identifier for all communications with everything else on the Internet is probably illegal in an increasing number of countries around the world. (On the other hand, in some countries it is probably illegal to NOT require it.) However, it's perfectly legitimate to require an identifier within an enterprise -- there is a confidentiality agreement. How can the enterprise get the information it needs without requiring users to give away privacy for other communications? An algorithmic mapping from a hardware identifier to a different one at the enterprise boundary does not solve the problem, because (1) all those problems around non-globalness of addresses/locators/identifiers, and (2) that mapped identifier is also persistent, and usage can be tracked. Blue sky: Could the SP allow privacy addresses, at least for global use, and log its own mappings between privacy addressses and MACs or other persistent identifiers? Then it can always trace back to determine who did what if necessary. Scott -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------