[ipv6hackers] Pros and Cons of Address Randomization
Jim Small
jim.small at cdw.com
Mon Dec 3 03:39:07 CET 2012
Hi Mark,
> >> > Maybe this is an enterprise bias but my experience has been that
> >> loopbacks (at least with IPv4) are numbered sequentially with predictable
> >> patterns for ease of use. These can be protected with ACLs/firewalls. I
> >> would like to do something similar for IPv6. Maybe this is legacy thinking
> > but
> >> I would dread giving this up and completely depending on DNS. What
> about
> >> outages where you're using an Out Of Band network and DNS is
> >> down/unavailable? This one would be hard for me...
> >> >
> >> You certainly can do something similar for IPv6 and I would actually
> > generally
> >> advocate doing so. I just wouldn't start from ::1 in most cases.
> >
> > So where would you start at? ::1001? It's not that you memorize addresses
> > - I agree that's silly. However when you use tools, simple patterned
> > numbers make life easier. Granted you can have lists of addresses to
> march
> > through but it's the little things... Especially when you're doing
> > something to 100s of routers/switches - spot checking patterned numbers
> is a
> > little easier than randomized addresses. Maybe I'm just a little lazy. :-)
> >
>
> For network management, I think it'd be better just to use ULAs, as they're
> not accessible from the Internet. Once you do that, you can then use ::1, ::2,
> ::3 etc. on loopbacks without anywhere near as much risk.
I like this idea. I can't think of why you'd want your loopbacks accessible from off-network even for eBGP speakers. Just generate your randomized /48 ULA and start from ::1 with no worries about Internet scans (assuming proper ingress/egress filtering).
> More generally, I think one of the issues that makes these sorts of
> discussions more complex is the default assumption of global reachability of
> the nodes with the randomised or non-randomised addresses, and perhaps
> an assumption that the nodes will only have one address. As IPv6 fully
> supports multiple concurrent addresses, one option is to use randomised
> addresses for addresses where they're more valuable (i.e. globals), and non-
> random where they're less valuable or would create additional complexity
> (i.e. ULAs).
Makes sense.
> Perhaps there needs to be an "R" bit added to the RA PIO option that
> indicates that IIDs that are used within the specified prefix are to be
> randomised. This would be independent of the A bit, and would be used by
> what ever address configuration mechanism used to configure addresses
> within the prefix (e.g. currently SLAAC, possibly others in the future). That
> would make it possible to have randomised GUAs and non-randomised ULA
> addresses within a subnet.
This is an interesting idea. I especially like it if it would use the logic Fernando proposed:
http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-01
So it could use the above for SLAAC and for DHCPv6 perhaps it could also be used as a hint - if the R-bit is set, the client notifies the DHCPv6 server via some option that it wants a randomized IID.
--Jim
More information about the Ipv6hackers
mailing list