On Sep 4, 2013, at 4:43 AM, S.P.Zeidler <[email protected]> wrote: > Hi, > > Thus wrote Jens Link ([email protected]): > >> I think vendors should put some sensible defaults in place, e.g. no >> SLAAC, no privacy extensions, no temporary addresses on severs. > > I don't think this is really something the OS should do. > If a program requests a specific address when building a socket, and that > address is configured at all, it gets it on every OS I'm aware of. > > In an IPv6 world, network services (aka, smtp, http, dns, .. servers) > should -always- be bound (and bindable) to specific addresses both for > incoming and outgoing connections. It's not funny if your smtp server > tries to deliver through the firewall with its http server address, which > is then Not Allowed (tm) :)
Yes, disabling IPv6 privacy addresses makes tons of things easier -- including traffic analysis. One of the primary purposes of IPv6 privacy addresses was to antagonize traffic analysis and discourage one of the justifications to create a NAPT66 device (as one of the justifications for NAPT is to antagonize traffic analysis). http://tools.ietf.org/html/rfc4941#section-2 has lots of good details. (And I know privacy information is leaked at upper layers; there are constant attempts at those layers to reduce their privacy leakage and it doesn't excuse exposing privacy at layer 3). -d > > regards, > spz > -- > [email protected] (S.P.Zeidler)
