[ipv6hackers] Host SAS and split behavior for privacy addressing

Tim Chown tjc at ecs.soton.ac.uk
Thu Jul 19 13:48:35 CEST 2012


Or you chose to not fight against devices that can essentially pick their own addresses, and instead deploy tools or monitoring systems that can correlate observed addresses.

Tim

On 17 Jul 2012, at 07:26, Eric Vyncke (evyncke) wrote:

> And, actually even for traffic to the wild Internet, you would probably prefer to use the long-term IPv6 address anyway (audit-trail for Internet traffic is also useful or could even be required).
> 
> -éric
> 
>> -----Original Message-----
>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>> bounces at lists.si6networks.com] On Behalf Of Jim Small
>> Sent: mardi 17 juillet 2012 02:57
>> To: IPv6 Hackers Mailing List (ipv6hackers at lists.si6networks.com)
>> Subject: [ipv6hackers] Host SAS and split behavior for privacy addressing
>> 
>> RFC 4941 defines the creation of random interface IDs for IPv6 interface
>> addresses as well as the idea of a temporary address. The idea is to protect
>> a user's privacy. I agree this makes sense for Internet bound traffic but it
>> often undesirable for internal "enterprise" traffic. NIST SP800-119
>> recommends implementing a policy to use random IDs/temporary addresses for
>> Internet access but not for internal access.
>> 
>> My question is, how would you actually do this? In Windows for example I can
>> control whether or not to use random interface IDs and temporary addresses,
>> but AFAIK this is a global setting (so couldn't do internal ULA no privacy,
>> external GUA with privacy). How would I implement a policy where I only use
>> these for Internet addresses? Obviously I could use NAT66 or a Proxy, but
>> what if I want a host-based routed solution?  Of course you could look at
>> 802.1X or Identity tagging like Cisco does with Trustsec, but is there an
>> IPv6 host stack solution?
>> 
>> Also - I realize Fernando has proposed some good options in the IETF, but is
>> there something I can do currently?
>> 
>> --Jim
>> 
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers




More information about the Ipv6hackers mailing list