end-user ipv6 deployment and concerns about privacy

Mark Smith nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Wed Aug 18 05:34:47 CDT 2010


On Wed, 18 Aug 2010 01:12:19 +0200
Hannes Frederic Sowa <hannes at mailcolloid.de> wrote:

> Hello!
> 
> As the first IPv6 deployments for end-users are in the planning stage
> in Germany, I realized I have not found any BCP for handling
> addressing in those scenarios. IPv6 will make it a lot easier for
> static address deployments but I wonder weather this is in the best
> sense for the customers. As I normally come from the technical side I
> prefer static addressing. But in the world of facebook and co. I
> wonder if it would be a better to let the user have the choice. A
> major provider of dsl here in Germany recently blogged about this [1].
> Their proposal is to serve two subnets, one being a static one while
> the other one will be dynamically allocated. I have no clue how the
> user would switch between these subnets (without using some kind of
> command line tools).
> 
> This is not about using privacy extensions as the subnet is sufficient
> for identification.
> 
> Did you reach any conclusion on this matter?
> 

Haven't really thought about it before.

One thing to consider is that unless the preferred and valid lifetimes
of an IPv6 prefix are set to infinity, IPv6 prefixes are always dynamic
- they'll eventually expire unless they're refreshed. The preferred and
valid lifetimes for prefixes that are delegated to customers could be
something that they might be able to change via a web portal, bounded
to within what you as an ISP are happy with e.g. 1 to 30 days, rather
than the absolute range of lifetime values supported. CPE could also
potentially do the same thing with the range of subnets it has been
delegated, by phasing in and out subnets over time on it's downstream
interfaces. (The more subnets the better, so a /48 would be ideal for
this.)

As you've mentioned, privacy addresses help. A related idea is
described in "Transient addressing for related processes: Improved
firewalling by using IPv6 and multiple addresses per host." [0], Peter
M. Gleitz and Steven M. Bellovin, which takes advantage of the 2^64
addresses in a /64, and has different applications on the same host use
different source IPv6 addresses.

Pretending to be multiple hosts, or even just one with privacy
addresses, moving around multiple subnets, on delegated prefixes that
change fairly regularly would probably mitigate quite a lot of the
privacy concerns people may have related to IPv6 addressing.

Regards,
Mark.


[0] http://www.cs.columbia.edu/~smb/papers/tarp.pdf




More information about the NANOG mailing list