Default security functions on an IPv6 CPE
Doug Barton
dougb at dougbarton.us
Tue May 31 00:21:38 CEST 2011
On 05/30/2011 15:08, Fernando Gont wrote:
> Hi, Fred,
>
> On 05/30/2011 06:53 PM, Fred Baker wrote:
>>>> Privacy addresses are the answer here; software initiating connectivity
>>>> should be doing so from temporary addresses, and other software
>>>> listening for incoming connectivity should only be doing so from the
>>>> public address.
>>>
>>> FWIW, I was told recently that Windows 7 implements some sort of
>>> *privacy* addresses, rather than *temporary* addresses -- they do not
>>> have modified EUI-64 format identifiers, but do not change as frequently
>>> as temporary addresses.
>>
>> I believe they implement
>>
>> http://www.ietf.org/rfc/rfc4941.txt
>> 4941 Privacy Extensions for Stateless Address Autoconfiguration in
>> IPv6. T. Narten, R. Draves, S. Krishnan. September 2007. (Format:
>> TXT=56699 bytes) (Obsoletes RFC3041) (Status: DRAFT STANDARD)
>
> Christian Huitema had noted on 6man@ that they generate IPv6 addresses
> as a result of a hash function that includes the prefix. i.e., the
> address (IID) varies from network to network, but is constant within the
> network.
Yeah, my understanding is that it's not quite 4941, it's what I
not-really-jokingly refer to as the microsoft embrace and extend 4941
work-alike. In this particular case the differences don't seem to
actually hurt anything however, so points for that. :)
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the ipv6-ops
mailing list