Em 25-10-2015 01:37, Fernando Gont escreveu: > ... as long as IPv6 addresses are not embedded in the app protocol. > > FWIW, I wouldn't go this way. ULAs (fd00::/8) erver a different purpose: > e.g., still be able to communicate within your network if global > connectivity/addressing fails.
The fact every edge gets it's own IP address (and generates it the way it wants, at least with SLAAC), always scared me. With IoT getting more and more traction, it's only a matter of time until we see the kind of attacks and probing you suggested on your RFC's. If they aren't already happening. And, given the fact most CPE's being deployed are happily routing traffic into our networks with no firewalling whatsoever, scares me even more. Most do not even begin to follow RFC 7084. I found out that OpenBSD 5.8 indeed will prefer privacy address for EVERY outgoing connection, unless told otherwise. But I had to write a very broad pf ruleset for not needing to write a script to detect every time my privacy address changes and doing the appropriate rule reloading, among other things. I found that that, at least on 5.8-stable, enclosing the interface name with () won't work with IPv6, and the rules don't get reloaded when the addresses change. I will (unfortunately) still use IPv4 based internal LAN's, as long as these IPv6 woes don't get sorted out. I think things will get much worse, before they get better. Cheers, Giancarlo Razzolini
