dynamic or static IPv6 prefixes to residential customers

Owen DeLong owen at delong.com
Wed Aug 3 15:14:52 CDT 2011


On Aug 3, 2011, at 10:53 AM, Jay Ashworth wrote:

> ----- Original Message -----
>> From: "Owen DeLong" <owen at delong.com>
> 
>> On Aug 3, 2011, at 6:55 AM, Jay Ashworth wrote:
>>> You guys aren't *near* paranoid enough. :-)
>>> 
>>> If the ISP
>>> 
>>> a) Assigns dynamic addresses to customers, and
>>> b) changes those IPs on a relatively short scale (days)
>>> 
>>> then
>>> 
>>> c) outside parties *who are not the ISP or an LEO* will have a
>>> relatively harder time tying together two visits solely by the IP
>>> address.
>> 
>> ROFL... Yeah, right... Because the MAC suffix won't do anything.
> 
> Did I mention I haven't implemented v6 yet? :-)
> 

No, you didn't. Perhaps you should spend some time learning about
it before you opine on how it should or should not be implemented.

FWIW, I have implemented IPv6 in multiple organizations, including
my home where I've been running with it for several years.

> *Really*?  It bakes the endpoint MAC into the IP?  Well, that's miserably
> poor architecture design.
> 

It can and it is a common default. It is not required.

It's actually rather elegant architecture design for the goals it was
implemented to accomplish.

>>> While this isn't "privacy", per se, that "making harder" is at least
>>> somewhat useful to a client in reducing the odds that such
>>> non-ISP/LEO
>>> parties will be unable to tie their visits, assuming they've
>>> controlled
>>> the items they *can* control (cookies, flash cookies, etc).
>> 
>> Which is something, what, 1% of people probably even know how to do,
>> let alone practice on a regular basis.
> 
> Yup; let's go out of our way to penalize the smart people; that's a 
> *great* plan; I so enjoy it when people do it -- and they do it *far*
> too often for my tastes.
> 

No, my point is that if you use RFC-4193, there's not really much benefit
from altering the prefix, so, nobody gets penalized and you can still have
static addresses.

Further, I consider myself relatively smart and by not having static prefixes,
you're blocking things I want, so, arguably dynamic prefixes also penalize
the smart people.

>>> Imperfect security != no security, *as long as you know where the
>>> holes are*.
>> 
>> If people want this, they can use RFC-4193 to just about the same
>> effect. The ISP modifying the prefix regularly simply doesn't do much.
> 
> I'll make a note of it.
> 

Let me know if you have further questions.

Owen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2105 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110803/baaac9eb/attachment.bin>


More information about the NANOG mailing list