On Fri, 11 Jul 2003, Michael Hunter wrote:
> On Fri, 11 Jul 2003 22:40:29 +0300 (EEST)
> Pekka Savola <[EMAIL PROTECTED]> wrote:
> > On Fri, 11 Jul 2003, Michael Hunter wrote:
> >
> > > On Fri, 11 Jul 2003 08:00:36 +0300 (EEST)
> > > Pekka Savola <[EMAIL PROTECTED]> wrote:
> > >
> > > [...]
> > > > > The other one is: if a NIQ is send to a RFC3041 address, do you reply to
> > > > > it? My take is that by default, you should not and have a switch to
> > > > > override.
> > > >
> > > > But I fail to see any use for this. Typically when you implement these, I
> > > > think they'll listen to all addresses ("any incoming packet"). It seems
> > > > that disabling one set of addresses and even giving users a toggle of
> > > > rather little value would be useless. But of course, one might have to
> > > > implement differently too.
> > >
> > > The association between RFC3041 addresses and other addresses is what you
> > > want to protect. If you let a 3rd party discover that association with
> > > NIQ then you've removed the little usefulness that RFC3041 addresses have.
> >
> > Please re-read what you write.
> >
>
> I'm not understanding the following so I apologize if my response isn't
> to your point.
Sorry if I was unclear..
> > What you're implying is that those you're worried about would learn your
> > "true identity" and not RFC3041 would ones allowed to send NIQ's to you
> > and you'd actually answer them?
>
> So the issue I was attempting to communcate was that the association
> between your RFC3041 address(es) and your other addresses was something
> you wanted to protect. The following two points need to be protected
> at the same level:
>
> 1) Somebody sending a request to a non-RFC3041 address and discovering
> your RFC3041 address(es).
>
> 2) Somebody sending a request to a RFC 3041 address and discovering your
> other addresses/name which resolves to other addresses.
>
> If you think one is important, I believe you should think both are
> important.
True. But now comes my actual point: you're making an assumption that all
nodes in the Internet (basically) would answer to NIQ's from everywhere,
and consequently there would be some information to disclose.
I don't think this is reasonable.
If you can't trust the guy whose NIQ's you're answering to enough that you
need to obfuscate the association between RFC3041 and non-RFC3041
addresses, you shouldn't be answering those NIQ's at all.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
