Rate of growth on IPv6 not fast enough?

Jim Burwell jimb at jsbc.cc
Fri Apr 23 00:29:15 CDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
On 4/22/2010 22:18, Matthew Kaufman wrote:
> Owen DeLong wrote:
>> On Apr 22, 2010, at 5:55 AM, Jim Burwell wrote:
>>
>>
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 4/22/2010 05:34, Simon Perreault wrote:
>>>
>>>> On 2010-04-22 07:18, William Herrin wrote:
>>>>
>>>>> On the other hand, I could swear I've seen a draft where
>>>>> the PC picks up random unused addresses in the lower 64 for
>>>>> each new outbound connection for anonymity purposes.
>>>>>
>>>> That's probably RFC 4941. It's available in pretty much all
>>>> operating systems. I don't think there's any IPR issue to be
>>>> afraid of.
>>>>
>>>> Simon
>>>>
>>> I think this is different.  They're talking about using a new
>>> IPv6 for each connection.  RFC4941 just changes it over time
>>> IIRC.  IMHO that's still pretty good privacy, at least on par
>>> with a NATed IPv4 from the outside perspective, especially if
>>> you rotated through temporary IPv6s fairly frequently.
>>>
>>
>> 4941 specified changing over time as one possibility.  It does
>> allow for per flow or any other host based determination of when
>> it needs a new address.
>>
>> Owen
>>
>>
>>
> But none of this does what NAT does for a big enterprise, which is
> to *hide internal topology*. Yes, addressing the privacy concerns
> that come from using lower-64-bits-derived-from-MAC-address is
> required, but it is also necessary (for some organizations) to
> make it impossible to tell that this host is on the same subnet as
> that other host, as that would expose information like which host
> you might want to attack in order to get access to the financial
> or medical records, as well as whether or not the executive floor
> is where these interesting website hits came from.
>
> Matthew Kaufman
Yeh that information leak is one reason I can think of for supporting
NAT for IPv6.  One of the inherent security issues with unique
addresses I suppose.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAkvRMCsACgkQ2fXFxl4S7sShwACgpZEd1rQD+/+dxonkOVpwPaUj
oBIAoOJ78A5Yvftfz+JPjGWWQoVhb6F8
=oQHv
-----END PGP SIGNATURE-----






More information about the NANOG mailing list