Re: Feedback on draft-gont-6man-stable-privacy-addresses-01

Sat, 14 Apr 2012 07:56:41 -0700 

On 2012-04-14 15:09, Fernando Gont wrote:
> On 04/14/2012 12:30 PM, Tim Chown wrote:
>> I while ago I put this one forward, which is an alternative to
>> Fernando's suggestion that you have to set the whole address:
>>
>> http://tools.ietf.org/html/draft-chown-6man-tokenised-ipv6-identifiers-00
>>
>>  This was based on existing implementations, in Solaris and Linux (as
>> a demonstrator), with the potential for simpler renumbering in mind.
> 
> Does this really help renumbering? e.g., if you have ACLs, they are
> based on the whole IPv6 address, rather than on the IID...

This is linked to the whole question of why people assign static
addresses and how that interacts with renumbering. By getting rid
of the MAC address (so that the server address doesn't depend on
the network interface hardware) you are part way to static addresses,
and one can imagine a prefix-renumbering mechanism that could handle
this. Of course here we want an IID that is not only stable but is
also well-known; servers don't get address privacy ;-).

Fully static addresses are a pain in renumbering, but that
discussion belongs in 6RENUM (draft-carpenter-6renum-static-problem).

   Brian

    Bian

> 
>> It's probably the complete antithesis of what Fernando is trying to
>> achieve, but is aimed at the type of (server) systems that would
>> probably be DNS-advertised anyway.
> 
> Note that having an address advertised in the DNS does not necessarily
> means that predictable addresses are not useful to an attacker.
> 
> For example, let's assume that you know that a network link hosts 100
> different servers, each with a different domain.
> 
> If their addresses are not predictable, and the attacker wants to find
> all of them, he may have to rely on a "dictionary" attack. However, if
> the addresses *are* predictable, he could just sweep the interested part
> of the address space.
> 
> Note: I still don't understand the use case for this technology, or how
> the IIDs would be selected (but since they seem to be
> manually-generated, I'd expect them to be "low-byte", such as ::1, ::2,
> etc.).
> 
> Thanks!
> 
> Best regards,
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Reply via email to