I am not trying to anything like NAT. My question does not involve translation at all.
I am interested in improving the hiding capability of "client" nodes on any network by not autoconfiguring a global-scope address that incorporates any portion of any unique identifier (like a MAC address) on my interface. My privacy-only addressing scheme would give me a globally-routable address. I would be forgoing peer-to-peer capability, but no more so than a host that used only stateless autoconfiguration. So, nothing to do with NAT. John Spence, Director, IPv6 Technical Operations Command Information (HQ: Herndon VA) 2001 6th Avenue, Suite 3210, Seattle, Washington 98121 w: 206.448.5553 m: 425.260.0112 [EMAIL PROTECTED] -----Original Message----- From: Eric Klein [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 11:02 AM To: [email protected] Subject: Re: Is there any provision in privacy addressing, autoconfiguration,or ND specifications to have privacy address and*nothave* autoconfigured addresses? Comment at the end. John Spence wrote: > So, let me revise my comment, focusing on requirements. > > I would like the capability to have an interface construct a link-local > address via some mechanism (EUI-64 from MAC, as an example) as normal, > then configure a privacy address, all without autoconfiguring a > global-scope address from the RA being sent on the subnet (there would > be no valid or preferred global-scope addresses containing the MAC). > This interface would be harder to scan for from off-link, since the only > valid global-scope address would be a privacy address - no > autoconfigured address embedding FFFE or a small set of OUIs (there are > probably only a few hundred OUIs really in wide deployment) would be > configured on the interface. > > This could be accomplished, I think, by allowing the node to passively > listen to RAs, to learn the valid /64 prefixes assigned to the link, and > then global-scope privacy addresses could be configured. Perhaps the > node could allow a configuration option like "USE_PRIVACY_ONLY=yes". > Other interfaces on other nodes on the subnet could use > autoconfiguration, either with or without privacy addresses, as desired. > > The result would be a privacy address that not only protected my privacy > for outbound sessions, but improved my stealthly-ness from off-link > attackers as well. > This is not supported today, I do not believe, but I think it would be a > valuable tool for administrators to have. What is your opinion? This sounds remarkably like you are trying to recreate RFC1918 addresses to me or to mimic NAT. Both of which are (currently) being kept out of IPv6. please see draft: IPv6 Network Architecture Protection http://www.ietf.org/internet-drafts/draft-ietf-v6ops-nap-03.txt for an explination as to why these are not encouraged in IPv6. Eric -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
