Rémi Després wrote:
> Harald Alvestrand a écrit :
>> Mark Andrews skrev:
>>
>>> You also don't want to do it as you would also need massive churn in
>>> the DNS.
>>>
>>> Microsoft gets this wrong as they don't register the privacy addresses
>>> in the DNS which in turn causes services to be blocked because there
>>> is no address in the DNS.
>>>
>> perhaps the advent of IPv6 will result in people finally (*finally*)
>> giving up on this sorry excuse for a security blanket? (calling it a
>> "mechanism" is too kind)
>>
>> Or perhaps it'll just make people register wildcard records at the /64
>> level in ip6.arpa :-(
>>
>>
> One approach to achieve it could be ias follows:
> - An IPv6 link where some privacy source addresses may be used would
> have in the DNS a record for a "generic privacy address".
> - This address would be the /64 of the link followed by an agreed
> "joker IID" (0:0:0:0 or some other to be agreed on, e.g. FFFF:0:0:0).
> - Resolvers, if they recognize a privacy remote address, would query
> the reverse DNS with this "generic privacy address" of the remote link.
> - They could also do this type of queries after failures of full
> address queries.
>
> Problem:
> Privacy addresses, as specified today, cannot be distinguished with
> 100% certainety from addresses obtained with stateful DHCPv6.
> A proposal would be an addition to the privacy extension spec (rfc 4941).
> - A variant of privacy addresses would be defined for "dsitinguishable
> privacy addresses".
> - These addresses would, for example, have FF00::/8 at the beginning
> of their IID (no currently specified IPv6 IID begins that way;
> randomness on 58 bits is good enough).
> - Then resolvers could recognize such privacy addresses for sure, and
> could query the reverse DNS with the generic privacy address only
> when this is appropriate.
>
> IMHO, this is a feasible step to reconcile: (1) privacy requirements
> of individuals; (2) desire to know which site is at the other end
> where and when such a desire exists.
My desire to have privacy is, in itself, something I may want to keep
private.
If what you want to know is indeed "which site is at the other end",
wildcards at the /64 level will achieve that with no changes to existing
code.
Harald
_______________________________________________
IETF mailing list
[email protected]
http://www.ietf.org/mailman/listinfo/ietf
