Michael Thomas <[email protected]> wrote:
    > On 11/13/14, 12:09 PM, Michael Richardson wrote:
    >> Ted Lemon <[email protected]> wrote: >> 4) you can't just fill the zone
    >> with all the names -- it won't be >> secure.  (4A - things that don't
    >> want global reachability, perhaps, >> shouldn't have globally
    >> reachable addresses)
    >> 
    >> > There is a privacy issue here.  And if a global prefix is
    >> advertised, > present state of the art is that all devices on the wire
    >> will wind up > with an address on that prefix.  However, attacking
    >> those devices from > outside requires guessing their address, unless
    >> it's conveniently > published in a DNS zone.
    >> 
    >> If we conclude that ULA will always be present in the home, then
    >> devices ought to only have a ULA by default, and need to enabled to
    >> have a GUA.  That's one of my major reasons I always want ULA to be
    >> available.
    >> 
    >> 

    > Given how easy it is for a device to configure a gua -- intentional or
    > otherwise -- i don't think i'd want to stake any security properties a
    > device's non-routability. Nor do I think that the obscurity of not
    > having a DNS name provides much in the way of privacy.  There's way too
    > much that can go wrong to count on either of these properties.

I am not saying: ULA=secure, GUA=insecure.

I'm saying: pick a GUA if you are a device which should be
discoverable/reachable by default.  That's not to say what your ACL should
be.  I presume that these devices do not otherwise use resources the way that
my phone or laptop does when I interact with it.

-- 
Michael Richardson <[email protected]>, Sandelman Software Works
 -= IPv6 IoT consulting =-



Attachment: pgpSMgyNCsImN.pgp
Description: PGP signature

_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to