Default security functions on an IPv6 CPE

Fernando Gont fernando at gont.com.ar
Tue May 31 02:07:03 CEST 2011


On 05/30/2011 07:59 PM, Mark Smith wrote:
> Fernando Gont <fernando at gont.com.ar> wrote:
> 
>> On 05/30/2011 07:21 PM, Doug Barton wrote:
>>
>>>> Christian Huitema had noted on 6man@ that they generate IPv6 addresses
>>>> as a result of a hash function that includes the prefix. i.e., the
>>>> address (IID) varies from network to network, but is constant within the
>>>> network.
>>>
>>> Yeah, my understanding is that it's not quite 4941, it's what I
>>> not-really-jokingly refer to as the microsoft embrace and extend 4941
>>> work-alike. In this particular case the differences don't seem to
>>> actually hurt anything however, so points for that. :)
>>
>> Well, it does help privacy -- provided you think that temp addresses
>> help in that area (many argue that they don't, though)
>>
> 
> What are their arguments?

IIRC, one of the arguments was that, if e.g. there's a single host
active in a given subnet, even if it varies its address, it's easy to
figure out that its simply the same host varying its Interface ID
(particularly when the address itself is claiming that it si a temporary
address ;-) ).

See, e.g.:
Escudero, A. 2002. PRIVACY EXTENSIONS FOR STATELESS ADDRESS
AUTOCONFIGURATION IN IPV6 - ”REQUIREMENTS FOR UNOBSERVABILITY.
RVK02, Stockholm. Available at:
http://web.it.kth.se/~aep/PhD/docs/paper3-rvk2002.pdf

Thanks,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1





More information about the ipv6-ops mailing list