On Fri, 30 Aug 2002, David Terrell wrote: > > Thanks for checking the rfc3041 considered harmful draft. > > Interesting read. A few points -- > The idea that attackers could use privacy addresses to obscure the > source of attacks is interesting, but that's really an artifact of > the /64 prefix per link; conversely, uRPF checks should be enough to > quickly locate an administrative contact for the site in question > at least -- spoofed packets are a problem when you cannot identify > the source at all.
Experience has shown (i.e. looking how far wrongly source addressed packets arrive in our network) that uRPF or any kind of acl'ing is not all that commonplace. > It would be nice to see CPE routers perhaps track ethernet addresses > and map privacy addresses to local interfaces and log that information > to a local host for perusal later during a security incident analysis, > but otherwise I don't see how 3041 isn't an adequate answer to the > specific problem of "privacy in IPv6 as related to using EUI-64", > not the wider problem of "general privacy in IPv6." That's a much > harder problem to solve. I think the problem is more of a generic sort. Consider often-seen discussion: Q: IPv6 address is quite long, it has MAC-address based part etc. Isn't it trackable..? A: Look at RFC3041! I.e. RFC3041 is often provided as a patch-all for everything about privacy. When people use RFC3041, they may think they're "safe". That's wrong. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
