Re: [addr-select-dt] about on/off switch of privacy extension

Arifumi Matsumoto <> Thu, 22 July 2010 11:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D3A303A6940 for <>; Thu, 22 Jul 2010 04:35:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.371
X-Spam-Status: No, score=-2.371 tagged_above=-999 required=5 tests=[AWL=0.229, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0l0c9F+ZhN-3 for <>; Thu, 22 Jul 2010 04:35:41 -0700 (PDT)
Received: from ( [IPv6:2001:fa8::25]) by (Postfix) with ESMTP id 757AC3A691D for <>; Thu, 22 Jul 2010 04:35:41 -0700 (PDT)
Received: from [IPv6:2001:fa8:1000::3985:fcfc:aa30:da05] ([IPv6:2001:fa8:1000:0:3985:fcfc:aa30:da05]) by (8.14.4/8.14.3) with ESMTP id o6MBZMtG045981; Thu, 22 Jul 2010 20:35:23 +0900 (JST) (envelope-from
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
From: Arifumi Matsumoto <>
In-Reply-To: <>
Date: Thu, 22 Jul 2010 20:35:22 +0900
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <EMEW3|4316cf345919db8a053a6805f4783a3em6FBvV03tjc||> <>
To: Mohacsi Janos <>
X-Mailer: Apple Mail (2.1081)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 ( [IPv6:2001:fa8::25]); Thu, 22 Jul 2010 20:35:24 +0900 (JST)
Subject: Re: [addr-select-dt] about on/off switch of privacy extension
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IPv6 Address Selection Design Team <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Jul 2010 11:35:43 -0000

On 2010/07/16, at 20:14, Mohacsi Janos wrote:

> On Fri, 16 Jul 2010, Tim Chown wrote:
>> On 16 Jul 2010, at 11:27, Arifumi Matsumoto wrote:
>>      this may be a trivial issue, but let me post it before I forget. :)
>>      What do you think about putting a on/off bit in the distributing policy
>>      for controlling client's behavior of privacy address extension.
>>      I know the privacy extension does harm a lot in a lot of circumstances.
>>      And, if it is possible, why not provide a way to solve this problem
>>      at the same time ?
>> Interesting.
>> So my personal view with a campus enterprise hat on is I'd like to avoid use of privacy addresses.   The main reason is the same as the
>> reason to use DHCPv6, for accountability.    Of course if use of 802.1x and/or SAVI provides that for autoconf or privacy addresses, we
>> can reconsider.   At the moment 802.1x is common on wireless network but not wired ones.
>> For managed desktops (or laptops), we can configure privacy addresses off by default in the system build.    Likewise, we *can*
>> configure RFC3484 default policy in our managed desktop builds.    But that is only useful if the same policy applies at all points of
>> attachment on the network and at all times of day.   For RFC3484 policy is may well not do.   For privacy address policy, it probably
>> does.  
>> If the RFC3484 policy table could distinguish privacy addresses, then their use or prioritisation can be set.   At our site we'd
>> probably like to say in the policy table NEVER use privacy addresses or 6to4 addresses as source addresses.

To define a kind of macro for privacy address description is one idea.
However, it is not a straightforward approach to use policy table to reverse/keep the meaning of another rule, that is source address selection rule 7 here.

   Rule 7:  Prefer public addresses.
   If SA is a public address and SB is a temporary address, then prefer
   SA.  Similarly, if SB is a public address and SA is a temporary
   address, then prefer SB.

Of course, we have to use policy table to implement finer-grained policy, such as for destination site A, prioritize privacy address, and for site B, de-prioritize it.

So, what I'm proposing is to put a toggle for reverse/keep the meaning of Rule 7 in source address selection.

> This policy distribution can be done in Windows domain today. You can disable privacy enhanced address usage in domain group policy. I don't think that you can automatically distinguish between privacy enhanced or autoconfigured or dhcpv6 assigned addresses, except if you have other administrative rules for interface id generation. RFC 4941, the new privacy enhanced address draft, is explicitly stating the privacy address not to be used by default. Although RFC 4941 is not widely implemented - I did not see any ;-).

RFC 3484 source address selection rule 7 also proposes the same.

I don't know why the OS vendor does not follow these RFCs.

> By the way, what 3484 policy table stanza you would use to forbid use 6to4 or some other kind of prefix?

Basically, we are working on address selection related issues.
If our activity is based on RFC 3484, what we can define/change is just ordering rules of destination/source addresses.

In this sense, to forbid use of some specific address is not within the scope of RFC 3484.

Arifumi Matsumoto
  Secure Communication Project
  NTT Information Sharing Platform Laboratories