[ipv6hackers] Host SAS and split behavior for privacy addressing

[Jim Small]

RFC 4941 defines the creation of random interface IDs for IPv6 interface addresses as well as the idea of a temporary address. The idea is to protect a user's privacy. I agree this makes sense for Internet bound traffic but it often undesirable for internal "enterprise" traffic. NIST SP800-119 recommends implementing a policy to use random IDs/temporary addresses for Internet access but not for internal access.

My question is, how would you actually do this? In Windows for example I can control whether or not to use random interface IDs and temporary addresses, but AFAIK this is a global setting (so couldn't do internal ULA no privacy, external GUA with privacy). How would I implement a policy where I only use these for Internet addresses? Obviously I could use NAT66 or a Proxy, but what if I want a host-based routed solution?  Of course you could look at 802.1X or Identity tagging like Cisco does with Trustsec, but is there an IPv6 host stack solution?

Also - I realize Fernando has proposed some good options in the IETF, but is there something I can do currently?

--Jim