PTR records for IPv6
David Magda
dmagda at ee.ryerson.ca
Thu Sep 5 16:03:54 CEST 2013
On Wed, September 4, 2013 22:47, Dan Wing wrote:
> Yes, disabling IPv6 privacy addresses makes tons of things easier --
> including traffic analysis. One of the primary purposes of IPv6 privacy
> addresses was to antagonize traffic analysis and discourage one of the
> justifications to create a NAPT66 device (as one of the justifications for
> NAPT is to antagonize traffic analysis).
> http://tools.ietf.org/html/rfc4941#section-2 has lots of good details.
> (And I know privacy information is leaked at upper layers; there are
> constant attempts at those layers to reduce their privacy leakage and it
> doesn't excuse exposing privacy at layer 3).
Sadly there doesn't seem to be an easy way to do pre-prefix privacy
options. If one is using SLAAC and RAs, there's no option to tell IPv6
systems to use the privacy extensions on prefix A but not on B.
Similarly I asked a while ago and DHCPv6 implementations don't have a way
to do it either.
So if one's network (say) uses ULA for internal traffic, and public
addresses for external traffic, then it's either all or nothing for
privacy. It'd be nice to have random addresses to prevent external
tracking, but MAC-based addresses for internal auditing. If that isn't
available via RA options, then hopefully it will become possible via
DHCPv6 at some point.
More information about the ipv6-ops
mailing list