On 03/12/2011 16:44, Christian Huitema wrote:
It doesn't. The I-D aims at allowing routers specify which policy they want
hosts to employ when generating their IPv6 addresses.
Uh? I definitely don't want to give the router at Starbucks the means to
specify the privacy configuration of my laptop.
I understand that corporation want to enforce policies so PC and routers are
easier to manage, but we have to be careful. If we define that policy as part
of the address configuration standard, then it will apply everywhere, not just
in the corporate network where the laptop is managed. That seems a terrible
idea.
If we want policy options to be applied safely, they have to be propagated by
trusted mechanism, where the host can verify the authority of the policy
source. Anything else is abuse waiting to happen.
Please consider this my periodic repetition of support for what
Christian is saying here, along with my periodic repetition of
opposition to (further) modifying RA/SLAAC to do things that DHCP
can/does do, or should be doing.
And to state publicly something that I discussed in private, I'm
completely unsympathetic to the viewpoint that "we need to show to the
auditors that we tried to prevent hosts from doing bad things" in the
absence of rigorous security steps to _actually_ prevent them.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------