Interesting draft. Thanks.
The elephant in the room is that DHCPv6 clients are still not deployed
on all end nodes that would benefit from it.
Many other 6man drafts, such as draft-ietf-6man-addr-select-opt-03 also
rely on DHCPv6.
Let's hope that the market now manages toquickly resolve what the IETF
has not managed to resolve in over 10 years of discussion, and selects a
universally available communication channel for passing configuration
hints between the network and end nodes that move between networks.
Otherwise changing default behavior (like being discussed in the update
from 3484 to 3484bis), or implementing new features in 6man, will likely
make migration to IPv6 duringdual stack operation harder, or break
existing stuff, or both.
regards,
RayH
Tirumaleswar Reddy (tireddy) <mailto:tire...@cisco.com>
5 April 2012 08:59
Firewall policies are moving towards identity (user, user-group) +
context (location, Bring your Own Device (BYOD)) attributes to enforce
appropriate policies. In enterprises hosts with EAP kind of
supplicants can be tracked even when the IP changes but for guests,
BYOD without such supplicants IP address based authentication is still
required and for such users, switches acting as DHCP relay agent can
influence the DHCP server not to assign temporary addresses
(http://tools.ietf.org/html/draft-reddy-mif-dhcpv6-precedence-ops-00)
Regards
Tiru.
*From:*ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] *On Behalf
Of *Ray Hunter
*Sent:* Tuesday, March 27, 2012 10:30 PM
*To:* Brian Haberman
*Cc:* ipv6@ietf.org
*Subject:* Re: 3484bis and privacy addresses
From the corporate World: option A as default, with local user
controlled option to override.
RFC3484 (which references RFC3041) "Temporary addresses" are a menace
to fault finding, audit, logging, firewall rules, filtering, QoS
matching, conformance: anywhere where an ACL or stable address is used
today. Sure we shouldn't use fixed/stable IP literals, but we do. And
in many cases there aren't any practical alternatives in today's
products, so the IP address is the lowest common denominator used to
identify a machine (and dare I say even "a user" in some circumstances).
Also not sure if any DHCPv6 server implementations actually provide
DHCPv6 assigned temporary addresses in practice.
My take on this is that a set of a few hundred individual persons who
are worried about privacy are more likely to be able to control their
own particular machines to correctly override the "default off"
setting than a single corporate network manager is to be able to
guarantee overriding a "default on" setting on 100% of 10000 machines
attached to their network.
regards,
RayH
Brian Haberman wrote:
<div class="moz-text-flowed">All,
The chairs would like to get a sense of the working group on
changing the current (defined 3484) model of preferring public
addresses over privacy addresses during the address selection
process. RFC 3484 prefers public addresses with the ability (MAY) of
an implementation to reverse the preference. The suggestion has been
made to reverse that preference in 3484bis (prefer privacy addresses
over public ones). Regardless, the document will allow
implementers/users to reverse the default preference.
Please state your preference for one of the following default
options :
A. Prefer public addresses over privacy addresses
B. Prefer privacy addresses over public addresses
Regards,
Brian, Bob, & Ole
</div>
--
Ray Hunter <mailto:ray.hun...@globis.net>
27 March 2012 19:00
From the corporate World: option A as default, with local user
controlled option to override.
RFC3484 (which references RFC3041) "Temporary addresses" are a menace
to fault finding, audit, logging, firewall rules, filtering, QoS
matching, conformance: anywhere where an ACL or stable address is used
today. Sure we shouldn't use fixed/stable IP literals, but we do. And
in many cases there aren't any practical alternatives in today's
products, so the IP address is the lowest common denominator used to
identify a machine (and dare I say even "a user" in some circumstances).
Also not sure if any DHCPv6 server implementations actually provide
DHCPv6 assigned temporary addresses in practice.
My take on this is that a set of a few hundred individual persons who
are worried about privacy are more likely to be able to control their
own particular machines to correctly override the "default off"
setting than a single corporate network manager is to be able to
guarantee overriding a "default on" setting on 100% of 10000 machines
attached to their network.
regards,
RayH
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------