Thanks a lot for your comments. They were actually quite helpful and made some good points. Here are my answers:
>There are many people (in IETF and elsewhere) who believe that applications should never use IP addresses directly or in referrals to Other applications. This is often cited as if it were >some architectural principle - in fact just last night, I actually had an AD state that to me as if it were a principle. I happen to disagree emphatically with that supposed principle, for many >reasons, but I won't list those reasons here. For the moment it only matters that there is a widely held belief that all applications should only use names to refer to hosts or application >endpoints. From that point-of-view, all hosts/nodes need to have names, so (by this definition) all hosts/nodes need to have public addresses. And the people who believe that applications >should always use names to refer to hosts or application endpoints have a lot of influence on network protocol design choices. So a recommendation for hosts to only use addresses not >listed in DNS can have the effect of making those hosts unable to support various applications. I imagine the name that you want to be publicly available is different than the names that you use it in local link for some applications. Right? >Bottom line: The decision about whether a node should use an address listed in DNS is not something that should be dictated entirely, or probably even mostly, by concerns about the privacy of addresses. This is actually what I tried to explained in the draft but not very successfully. I will have to use different wording in addressing this problem and not convey the meaning that one is forced to do as explained in draft but explain the repercussions that could ensue if one doesn't follow the advice given in the draft. >I would also suggest that the privacy benefit from using addresses not listed in DNS is probably very small. But in order to evaluate that benefit, it would help to identify specific threats to >privacy that are remedied by not using addresses listed in DNS. It is not small. If you ask the DNS guys (or probably you are one of them?), they will tell you that nowadays the types of attacks against DNS have changed. The attackers now use DNS as a tool with which to attack other nodes on the network. One such attack is node scanning, which is not feasible in the traditional way with IPv6. This is because, as you know, there are 2^64 addresses in each subnet. One might use DNS to find the IP address of other nodes in a target network. As I said during my talk, we implemented this attack using DNS. We obtained a lot of names all of which resided in public DNS servers. Even with the use of security this would not be prevented, but the chances of this type of attack being perpetrated would be diminished. If you are interested, you can download the attacking tool that we used from our website (easily search ipv6ssl and hpi). It is publicly available.It is not an optimized tool as our purpose was for research. We will upload a more optimized version soon. Thanks, Best, Hosnieh -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
