On 05/10/09 16:43 -0400, Ricky Beam wrote:
[here we go again]
On Mon, 05 Oct 2009 14:37:49 -0400, William Herrin
<herrin-na...@dirtside.com> wrote:
Some clever guy figured out that ... why not
add an extra 64 bits for that very convenient improvement? This is
called "stateless autoconfiguration."
Except that "clever guy" was in fact an idiot blinded by idealism. Not
only did he fail to see the security implications of having a fixed
address, but he'd apparently spent his entire life under a rock, on an
a publicly routeable stateless auto configured address is no less
secure than a publicly routeable address assigned by DHCP. Security is, and
should be, handled by other means.
island, on another planet... he completely ignored the fact that people
were using DHCP [formerly known as BOOTP] (and have been now for over a
decade) to provide machines with FAR MORE than just an address. A
That's what stateless DHCP does.
Some even more clever guy figured out that if the first clever guy's
strategy is used, it becomes a trivial matter to track someone
online... ...
stateless autoconfiguration will probably end up being a waste.
It's ALWAYS been a waste. All these supposed "clever guys" failed to
learn from the mistakes that preceded them and have doomed us to repeat
them... ICMP router discovery (technology abandoned so long ago, I'd
forgotten about it), RARP, bootp, dhcp. SLAAC loops us back around to
the beginning. Only this time, it's inescapable: I still have to have
something on the network spewing RAs for the sole purpose of telling
everything to use DHCP instead; there's a hard "class" boundary smack in
the middle of a "classless network" because these "clever guys" were lazy
and didn't want to figure out ways to avoid address collisions.
I don't understand. You're saying you have overlapping class boundaries in
your network?
(something modern IPv6 stacks do by default for privacy -- randomly
generated addresses have to be tested for uniqueness.)
--
Dan White
BTC Broadband