Hi Francis/All, In <draft-dupont-ipv6-rfc3041harmful-00.txt> titled "RFC 3041 considered harmful" Francis argues that rfc 3041 gives no privacy benefit whilst increasing complexity and making DDoS attacks easier.
IMO section 2 which states that privacy extensions "... give only complexity with no benefit" is logically flawed. I quote the relevant sentences from section 2 below ______________________________ "Note the interface identifier is only the half of the whole address, and to change the interface identifier when the prefix remains the same shall not improve the privacy... There are only two cases where privacy extensions can be justified: where the link has a very high number of nodes or ......" ______________________________ I argue that the number of nodes on the link has little to do with existence of privacy for the following reasons:- Defn: Privacy is achieved if when a node X corresponds with a server S, the server S cannot 'unambiguously' associate the IP addr for Node X with the physical machine. If you agree with the defn..... Consider a link with 2 nodes (low number of nodes) X and Y each changing its suffix as prescribed in 3041. When one of these nodes, Node X contacts a server with addr A1, can the server later unambiguously associate that IP with this node? The answer is No; since the other node, node Y could have had the address A1. The key to the argument is that it is not enough to have a high probability of association of an address with a physical machine to say that privacy is broken. The proof of the pudding is to check whether correspondences of the Node whose privacy is in question can be tracked. For instance in our 2 node example, multiple servers could not correlate based on addr A1 to track traffic patterns for the machine associated with node X. Best Regards, Kaustubh -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
