Hi, Tim, Thanks so much for your feedback! Please find my comments inline...
On 04/13/2012 12:37 PM, Tim Chown wrote: > Extensions. If I understand it correctly, essentially what you are > defining is randomised stable-per-prefix public interface > identifiers, Exactly. > On 3484bis, if stable privacy addresses are alternative public (not > temporary) identifiers for hosts then is there anything more to say? Not that I can think of. > Note that RFC4941 temporary addresses can also be stable, in that > they do not change if the host stays on the same network; the > specification only says identifiers SHOULD be regenerated at some > defined interval. Two things: * If you do RFC 4941 but do not change the addresses over time (e.g. as Windows does for their stable addresses), then you can be tracked exactly in the same way as with MAC-based addresses. Such addreseses mitigate only host-scanning attacks (i.e., they are unpredictable), but since there's a constant identifier used across networks, tracking is still possible. -- So at the time you implement RFC 4941 without regenerating the addresses over time, they are not *privacy* extensions anymore :-) * IMO, it is a bit of a strech to say "RFC4941 temporary addresses can also be stable", implying that stability is allowed. That would be the case if "identifiers MAY be generated at some defined interval". But if it's a SHOULD, and you go against it, you're not fully-compliant with the specification. ("SHOULD" just means that there are specific cases in which you're allowed to not follow the recommendation). > Finally, it would be interesting to know what algorithm Windows uses > to generate its identifiers; they are randomised, public and stable. > I had thought they were based on the prefix, but Fernando's tests > suggest not. Dave Thaler commented on this one during the 6man wg meeting at IETF 83: They do RFC4941, without changing the addresses over time. Hence, the identifiers are constant across networks. This means that they mitigate host scanning attacks, but as noted in draft-gont-6man-stable-privacy-addresses-01 they are still subject to host-tracking. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------