[EMAIL PROTECTED] writes: > 2. Packet filtering
> A stateless filter cannot test the lowest address bits, because > being stateless it does not know which suffices are in use at any > moment. What do you mean by a stateless filter? > Previously the stateless filter could limit subnet address > scans effectively by passing only a very small set of > suffices. After RFC3041 it will pass a scan of up to 2^64 > addresses. If the scanned node connects using a slow PPP link > (e.g. a 3GPP mobile node), the scan will block its link. I don't follow what you mean here. Could you please explain. > 3. The suffix as a covert channel Not sure this is a much of an issue personally. Seems like there are more effective and less painful ways of compromising communication channels. > 4. Leaking the global identity > The new "random" addresses are created in a deterministic manner > (RFC3041 3.2.1. "When Stable Storage Is Present"). The software > vendor can therefore predict every future suffix used by the node, > or identify the node as soon as one suffix has been detected. I don't follow this. Knowing the algorithm and knowing one point in the sequence space isn't sufficient to predict future (or determine past) values of the interface identifier. You also need to know some other state information (e.g., the MAC address), which is not generally available. > The suffix sequence can be seeded using the Ethernet address *and* > the serial number of the software licence, leaking even more > identity information than what a single fixed address would. Both of > these identifiers can be narrowed down to a rather small subset of > the available namespace by guessing. The time when the node came > on-line for the first time can be used as guidance. Again, knowing one point in the sequence of random numbers is not enough to figure out what previous or fugute values will be. Also 3041 says nothing about using software licence number to seed the sequence. > If the suffix is generated using MD5 as suggested in RFC3041, an > ephemeral identity can be recovered by anyone, by brute forcing the > missing 64 bits of initial state from two consecutive suffices. The > processing expense is not prohibitively high, and is getting lower > all the time. This works also in the "absence of stable storage" > mode. It's prohibitive enough that folks won't bother to do this on a massive scale (i.e., for lots of addresses). That seems good enough for the purposes defined in the 3041. Thomas -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
