Re: ipv6 tentative address generation
On Wed, 2006-01-18 at 00:18:23 -0600, Travers Buda proclaimed... I'm suggesting it as the default behavior. Ya' know, secure by default. hostname.if(5) support eui-64 directives.
Re: ipv6 tentative address generation
On Wed, Jan 18, 2006 at 10:29:34AM -0600, eric wrote: On Wed, 2006-01-18 at 00:18:23 -0600, Travers Buda proclaimed... I'm suggesting it as the default behavior. Ya' know, secure by default. hostname.if(5) support eui-64 directives. eui64 fills the lower 64 bits the same way auto-configuration does it. It has nothing to do with random. It basically allow you to specify the network and have the interface part filled for you. Like if you didn't want to run rtadvd(8) on your network. For me, that's how I give an real ipv6 address to the interface rtadvd is listening on. Not that I care about random data in the interface part. In fact, I would found it quite anoying if my ipv6 address were changing at every reboot. Like DNS wise. -- Hugo Villeneuve [EMAIL PROTECTED] http://EINTR.net/
Re: ipv6 tentative address generation
On Wed, Jan 18, 2006 at 02:32:16PM -0500, Hugo Villeneuve wrote: | On Wed, Jan 18, 2006 at 10:29:34AM -0600, eric wrote: | On Wed, 2006-01-18 at 00:18:23 -0600, Travers Buda proclaimed... | | I'm suggesting it as the default behavior. Ya' know, secure by default. | | hostname.if(5) support eui-64 directives. | | eui64 fills the lower 64 bits the same way auto-configuration does | it. It has nothing to do with random. | | It basically allow you to specify the network and have the interface | part filled for you. Like if you didn't want to run rtadvd(8) on | your network. | | For me, that's how I give an real ipv6 address to the interface | rtadvd is listening on. | | Not that I care about random data in the interface part. In fact, | I would found it quite anoying if my ipv6 address were changing at | every reboot. Like DNS wise. Reading RFC3041 on Privacy Extensions for Stateless Address Autoconfiguration in IPv6, in chapter 3 it clearly states that you still have a fixed IP address (eui64) configured on your interface for incoming connections. Only outgoing connections should be setup from the temporary addresses (that should be used for hours to days). After deprecating a random address, existing connections will continue working until such a time that all these connections end. With that being said, I still find the random addresses such as those used by recent Microsoft IPv6 stacks very annoying. If I'd want to keep my MAC address to myself, I'd probably just use a 'fixed' address (network:dead:beef:cafe:babe/64) or, better yet, just spoof a MAC address (using the lladdr option to ifconfig) - this way even folks on the same broadcast domain couldn't pinpoint me by MAC (another fruitless attempt at privacy, with pcmcia NIC's (and thus new MAC/IPv6-addresses) costing almost EUR 10 at the local hardware outlet). I'd just stop obsessing over a feature that adds only marginally to your privacy and/or security (since it adds code, it probably adds bugs thereby decreasing security). If it's really such a big deal, simply cough up a few diffs and I'd be willing to try them out. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: ipv6 tentative address generation
On Wed, 18 Jan 2006, Travers Buda wrote: I'm suggesting it as the default behavior. Ya' know, secure by default. by default we don't turn rtsold on. If you want this now (i.e. while you are working on a full implementation for us), then you can manually set a different (randomly generated) lladdr in hostname.if which rtsol will then use as the base for its generated address. -d
Re: ipv6 tentative address generation
On Tue, Jan 17, 2006 at 01:11:29AM -0600, Travers Buda wrote: Ipv6 allows for stateless configuration of a interface. The IEEE (aka MAC or hardware address) is generally used to generate tentative addresses which commonly end up being the assigned address provided stateful addressing does not exist on the network (such as DHCP.) This is the case in OpenBSD's import of KAME. Since the same method to generate an IP is used over an over (the host has an unchanging, persistant address,) the traffic generated and recieved by hosts would be open to many forms of analysis not necessairly confined to the computing world. For example, when some is at home, at work; what they access could be more easily tied to them (and the hardware they use,) decreasing anonymity. The problem and solution are outlined in RFC 3041. http://www.ietf.org/rfc/rfc3041.txt The solution is to use random data to generate ipv6 stateless addresses. Trying to be productive and not an asshole, Is there a question? If you wish to generate random ipv6 stateless addresses, ``jot -rs: -w%.2x 6 0 255'' and ifconfig(8) work. -Ray-
Re: ipv6 tentative address generation
On Tuesday 17 January 2006 07:21, Ray Lai wrote: On Tue, Jan 17, 2006 at 01:11:29AM -0600, Travers Buda wrote: Ipv6 allows for stateless configuration of a interface. The IEEE (aka MAC or hardware address) is generally used to generate tentative addresses which commonly end up being the assigned address provided stateful addressing does not exist on the network (such as DHCP.) This is the case in OpenBSD's import of KAME. Since the same method to generate an IP is used over an over (the host has an unchanging, persistant address,) the traffic generated and recieved by hosts would be open to many forms of analysis not necessairly confined to the computing world. For example, when some is at home, at work; what they access could be more easily tied to them (and the hardware they use,) decreasing anonymity. The problem and solution are outlined in RFC 3041. http://www.ietf.org/rfc/rfc3041.txt The solution is to use random data to generate ipv6 stateless addresses. Trying to be productive and not an asshole, Is there a question? If you wish to generate random ipv6 stateless addresses, ``jot -rs: -w%.2x 6 0 255'' and ifconfig(8) work. -Ray- I'm suggesting it as the default behavior. Ya' know, secure by default. Travers Buda
