[ipv6hackers] Dynamic prefixes & privacy (was: IPv6 prefix changing)
kauer at biplane.com.au
Fri Mar 16 14:54:37 CET 2012
[sorry if this turns up twice - email spasm]
On Fri, 2012-03-16 at 09:06 +0100, Alex List wrote:
> Due to the /64 bits left I don't agree, but from the discussion so far
With IPv4, the outside address on the CPE effectively identifies at
least the household. For a household containing one computer, it
identifies that computer, NAT or no NAT. That outside address may
change, but it changes fairly slowly unless ISPs make a special effort
to either keep it stable or change it frequently.
With IPv6, the prefix will identify the household with roughly the same
effectiveness. And possibly the outside address will too, though that
will typically be an invisible routing hop rather than an apparent
connection endpoint, as it is with IPv4 and NAT.
As long as privacy addresses are used, IPv6 doesn't make that any worse.
It could be argued that it makes things slightly better, as "outsiders"
can no longer see (at least not just from the address) whether
connections are from the same actual computer or not.
Without privacy addresses IPv6 makes it worse in direct proportion to
the number of computers using the prefix. And a LOT worse for mobile
computers, which can now be fairly positively identified wherever they
go, using the rightmost 64 bits.
DHCPv6-supplied addresses fall somewhere between the two. They will have
the same address on any given network, but different addresses on
different networks. So same difficulty for sessile computers, slightly
better for mobile computers.
Karl Auer (kauer at biplane.com.au)
GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
More information about the Ipv6hackers