Over-utilisation of v6 neighbour slots

Phil Mayers p.mayers at imperial.ac.uk
Thu Oct 24 12:15:36 CEST 2013


On 24/10/2013 10:59, Benedikt Stockebrand wrote:

>> And it provides negligible - perhaps zero - improvement in privacy.
>
> Sorry, but I disagree on that.  While you may be right when it comes to

Ah, I was unclear:

Privacy addresses are fine - no problem with them.

What I meant is that the specific strategy Apple devices seem to be 
using to re-generate them - on link-up - provides little or no benefit 
*above* a per-link & time-based rollover.

>> I assert that rolling the address on a timer, not on power/link
>> activity, is the intent of the RFCs, and the desired behaviour, and
>> that Apple are doing the wrong thing here.
>
> This is too simple: If I want to avoid people/devices being tracked when
> moving from one link to another, then I need to use a new temporary

Sorry, again I was unclear: of course the strategy needs to be more 
involved than just a global timer. Clearly address rollover needs to be 
per-link - probably per prefix&link.

> As a substitute for the SSID, the IP address(es) of the router(s) could
> be used to check if a device connects to the same link again.  But then,
> this doesn't provide any crypto protection, so it can be used to spoof
> things.

Or just per prefix, as seen in the RAs, which are present on every link.

Specific strategies for determining the domain within which a privacy 
address is valid for a specific time are many and varied.

>
>> In the long run, a move to RAM-based trie lookups seems to be the way
>> to go for FIBs, for the superior power use characteristics if nothing
>> else.
>
> Somebody from the hardware implementers correct me, but this should be
> both difficult to implement and is likely too slow.  You don't use
> CAM/TCAM unless you are really desperate for speed.

There are already high-speed devices using RAM for FIB e.g. Juniper Trio 
chipset uses RLDRAM.



More information about the ipv6-ops mailing list