[ipv6hackers] Host SAS and split behavior for privacy addressing
Eric Vyncke (evyncke)
evyncke at cisco.com
Tue Jul 17 08:26:12 CEST 2012
And, actually even for traffic to the wild Internet, you would probably prefer to use the long-term IPv6 address anyway (audit-trail for Internet traffic is also useful or could even be required).
> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Jim Small
> Sent: mardi 17 juillet 2012 02:57
> To: IPv6 Hackers Mailing List (ipv6hackers at lists.si6networks.com)
> Subject: [ipv6hackers] Host SAS and split behavior for privacy addressing
> RFC 4941 defines the creation of random interface IDs for IPv6 interface
> addresses as well as the idea of a temporary address. The idea is to protect
> a user's privacy. I agree this makes sense for Internet bound traffic but it
> often undesirable for internal "enterprise" traffic. NIST SP800-119
> recommends implementing a policy to use random IDs/temporary addresses for
> Internet access but not for internal access.
> My question is, how would you actually do this? In Windows for example I can
> control whether or not to use random interface IDs and temporary addresses,
> but AFAIK this is a global setting (so couldn't do internal ULA no privacy,
> external GUA with privacy). How would I implement a policy where I only use
> these for Internet addresses? Obviously I could use NAT66 or a Proxy, but
> what if I want a host-based routed solution? Of course you could look at
> 802.1X or Identity tagging like Cisco does with Trustsec, but is there an
> IPv6 host stack solution?
> Also - I realize Fernando has proposed some good options in the IETF, but is
> there something I can do currently?
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers