On 04/21/2012 06:10 AM, Mohacsi Janos wrote: >>> The client application >>> based on the policy should pick pivate or EUI-64 addresses. >> >> Just curious: Is there a specific use case for IEEE-derived addresses >> that cannot be satisfied with draft-gont-6man-stable-privacy-addresses? > > The existing implementations. The most important factor of introduction > of new standards to interoperate the existing ones. I think this should > be documented in your draft.
Could you please clarify what you're referring to, specifically? -- i.e., this address generation mechanism is backwards-compatible. > Furthermore there are several firewalls > and monitoring tools which is generating warning in case of IEEE-derived > address and MAC mismatch. This has to be investigated and documented in > the draft. You mean that updated implementations would automatically generate addresses differently? In this case, my take is that *updates* should probably not enable this mechanism by default, or at the very least have a system toggle to turn this feature off. For new devices (i.e., off-the-box rather than software-updated), this should probably be enabled by default. >>> I think the proper implementation of RFC 3041 or/and 4941 can solve your >>> problem >> >> I don't follow. RFC 4941 generates addresses in addition to the stable >> ones, so.. how could they possibly fix the scanning problem? > > I think the stablity/network supervisor ability to track devices is > enough justification for stable privacy addresses. Agreed. But someone might argue that you can achieve this with IPv6 addresses that embed IEEE-identifiers or randomized-but-stable-across-networks IIDs... but these fail to address other problems. > Scanning is not so > important. I know there are several new techniques - I am warning about > the possible methods for several years in my presentations. > http://www2.garr.it/conf_05_slides/j_mohacsi-IPv6_sec.pdf Will check your slides -- thanks for the pointer! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
