[ipv6hackers] Dynamic prefixes & privacy (was: IPv6 prefix changing)
Douglas Otis
dotis at mail-abuse.org
Wed Mar 21 01:48:33 CET 2012
On 3/20/12 3:52 PM, Owen DeLong wrote:
> On Mar 20, 2012, at 3:28 PM, Douglas Otis wrote:
>
>> On 3/20/12 2:37 PM, Owen DeLong wrote:
>>> On Mar 20, 2012, at 2:34 PM, Tim Chown wrote:
>>>
>>> On 17 Mar 2012, at 22:55, Owen DeLong wrote:
>>>>> ULA brings nothing meaningful to the table.
>>>> There is an I-D on ULA usage, see
>>>> http://tools.ietf.org/html/draft-liu-v6ops-ula-usage-analysis-02.
>>>> I would assume the authors would like feedback.
>>>>
>>>> Having ULA-ULA communication in a homenet is a good thing if that
>>>> means internal connections are not dropped if the accompanying
>>>> global prefix changes.
>>>>
>>> A better solution is to provide some internal persistence on global
>>> prefixes in the absence of external communication.
>>>
>>> Yes, you'll still drop internal connections on a renumber event, but,
>>> that can be handled gracefully enough so as not to be of sufficient
>>> concern to merit the drawbacks of using ULA.
>>>
>>>> In the homenet scenario, it seems some LLN vendors say they only
>>>> want to use ULAs.
>>> Herein lies the real hazard of ULA. Forcing NPT into the world is a
>>> really really really bad thing.
>> Dear Owen,
>>
>> I agree with Tim. While NPTv6 should be avoided, there are situations that arise when dealing with IPv4 NATs. http://tools.ietf.org/html/rfc6281#page-11 also makes this point by using ULAs leverage IPv6 as a method for ensuring unique local identifiers able to retain security associations. In this case, the identifier lifetime needs to exceed that of any TCP connection or Security Association running on the host. The HIP alternative may not be supported.
>>
> Apple could easily have obtained an IPv6 GUA prefix for this purpose. The use of ULA is entirely optional.
>
> Free your mind from the IPv4 private vs. public address mindset and allow yourself to consider a world where
> GUA is relatively easy to obtain and can be used for non-connected purposes without penalty or difficulty.
>
> I realize that this would require some RIR policy changes and I support those. If the IETF will get on board
> with recognizing that local GUA is a better alternative than ULA, then I don't think it would be hard to get
> the RIRs to adopt appropriate policy around this.
Dear Owen,
While agreeing with most of your statements, when GUAs are intended to
be local, as are ULAs, this makes their handling is more complex. With
the various IPv6 transitional methods kicking around, GUA packets might
end up in strange places and enable various data exfiltration
techniques, for example. In Apple's case, ULAs still seem like a better
and simpler choice.
Regards,
Douglas Otis
More information about the Ipv6hackers
mailing list