below... On 2012-04-10 01:08, Dave Thaler wrote: > Brian Carpenter writes: >> On 2012-03-27 20:33, Brian Haberman wrote: >> ... >>> A. Prefer public addresses over privacy addresses >>> >>> B. Prefer privacy addresses over public addresses >> In terms of a general default in shipped IPv6 stacks, I prefer B, but it has >> to be qualified: >> >> There MUST be a user option to change this preference. > > That wording would be confusing, as there's a distinction between an > (unprivileged) user and a (privileged) admin. It would be a security > vulnerability if an unprivileged user could change a system-wide setting. > >> There SHOULD be a network manager option to change this preference. > > Similarly, the term "network manager" is also confusing. It would be a > security vulnerability > if an untrusted user on the network could change a system-wide setting > locally. > >> The rationale for this is that we need privacy by default in shipped >> products, with the >> ability for the person deploying the product to override this. > > I (and I gather from the +1's that many others) agree with having a config > knob to > reverse the preference. The doc already has text about that on a *per-app* > basis, > but not system-wide. The wording I propose to add is: > > "There SHOULD be an administrative option to change this preference, if > the > implementation supports privacy addresses. If there is no such option, > there > MUST be an administrative option to disable privacy addresses." > > -Dave
That works for me. Perhaps there also needs to be a general statement in the security considerations that all administrative changes and options MUST be secured against illicit use. Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
