Michael Thomas <[email protected]> wrote: > On 11/13/14, 12:09 PM, Michael Richardson wrote: >> Ted Lemon <[email protected]> wrote: >> 4) you can't just fill the zone >> with all the names -- it won't be >> secure. (4A - things that don't >> want global reachability, perhaps, >> shouldn't have globally >> reachable addresses) >> >> > There is a privacy issue here. And if a global prefix is >> advertised, > present state of the art is that all devices on the wire >> will wind up > with an address on that prefix. However, attacking >> those devices from > outside requires guessing their address, unless >> it's conveniently > published in a DNS zone. >> >> If we conclude that ULA will always be present in the home, then >> devices ought to only have a ULA by default, and need to enabled to >> have a GUA. That's one of my major reasons I always want ULA to be >> available. >> >>
> Given how easy it is for a device to configure a gua -- intentional or
> otherwise -- i don't think i'd want to stake any security properties a
> device's non-routability. Nor do I think that the obscurity of not
> having a DNS name provides much in the way of privacy. There's way too
> much that can go wrong to count on either of these properties.
I am not saying: ULA=secure, GUA=insecure.
I'm saying: pick a GUA if you are a device which should be
discoverable/reachable by default. That's not to say what your ACL should
be. I presume that these devices do not otherwise use resources the way that
my phone or laptop does when I interact with it.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
pgpSMgyNCsImN.pgp
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
