IETF Logo Mail Archive

RE: 3484bis and privacy addresses

Dave Thaler <dthaler@microsoft.com> Mon, 02 April 2012 23:44 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E10E121F865C for <ipv6@ietfa.amsl.com>; Mon, 2 Apr 2012 16:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.099
X-Spam-Level:
X-Spam-Status: No, score=-105.099 tagged_above=-999 required=5 tests=[AWL=-1.501, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBh4JAVqQJn3 for <ipv6@ietfa.amsl.com>; Mon, 2 Apr 2012 16:44:18 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 1B82921F85BD for <ipv6@ietf.org>; Mon, 2 Apr 2012 16:44:17 -0700 (PDT)
Received: from mail64-ch1-R.bigfish.com (10.43.68.234) by CH1EHSOBE005.bigfish.com (10.43.70.55) with Microsoft SMTP Server id 14.1.225.23; Mon, 2 Apr 2012 23:44:17 +0000
Received: from mail64-ch1 (localhost [127.0.0.1]) by mail64-ch1-R.bigfish.com (Postfix) with ESMTP id 5A1101E0371; Mon, 2 Apr 2012 23:44:17 +0000 (UTC)
X-SpamScore: -24
X-BigFish: VS-24(zz9371Ic85fh98dKzz1202hzz8275ch1033IL8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC106.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail64-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=dthaler@microsoft.com; helo=TK5EX14HUBC106.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail64-ch1 (localhost.localdomain [127.0.0.1]) by mail64-ch1 (MessageSwitch) id 1333410254467378_19573; Mon, 2 Apr 2012 23:44:14 +0000 (UTC)
Received: from CH1EHSMHS023.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.254]) by mail64-ch1.bigfish.com (Postfix) with ESMTP id 647E1440062; Mon, 2 Apr 2012 23:44:14 +0000 (UTC)
Received: from TK5EX14HUBC106.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS023.bigfish.com (10.43.70.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 2 Apr 2012 23:44:13 +0000
Received: from TK5EX14MLTW653.wingroup.windeploy.ntdev.microsoft.com (157.54.24.14) by TK5EX14HUBC106.redmond.corp.microsoft.com (157.54.80.61) with Microsoft SMTP Server (TLS) id 14.2.283.4; Mon, 2 Apr 2012 23:43:57 +0000
Received: from TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com ([169.254.4.253]) by TK5EX14MLTW653.wingroup.windeploy.ntdev.microsoft.com ([157.54.24.14]) with mapi id 14.02.0283.004; Mon, 2 Apr 2012 16:43:57 -0700
From: Dave Thaler <dthaler@microsoft.com>
To: Ray Hunter <Ray.Hunter@globis.net>
Subject: RE: 3484bis and privacy addresses
Thread-Topic: 3484bis and privacy addresses
Thread-Index: AQHNC+wBSVlewb1jE0uYOWOUBxq41JZ+06CAgAlncxA=
Date: Mon, 02 Apr 2012 23:43:57 +0000
Message-ID: <9B57C850BB53634CACEC56EF4853FF653B4F1217@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com>
References: <4F716D5C.40402@innovationslab.net> <4F71F217.7000209@globis.net>
In-Reply-To: <4F71F217.7000209@globis.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.30]
Content-Type: multipart/alternative; boundary="_000_9B57C850BB53634CACEC56EF4853FF653B4F1217TK5EX14MBXW604w_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: Brian Haberman <brian@innovationslab.net>, "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2012 23:44:21 -0000

I prefer B, and this is what most existing implementations of RFC 3484 seem to already do (i.e., they follow the MAY not the SHOULD) whenever privacy addresses are enabled.  I have yet to hear of an implementation of RFC 3484 that actually follows the SHOULD (A) rather than the MAY (B), but maybe someone on this list knows of one.

To respond to Ray's "From the corporate World: option A as default, with local user controlled option to override":

In the corporate world, one requirement we've heard is to disable privacy addresses all together,
not just depreference them.   This is consistent with Brian Carpenter's response.

As such, the Windows implementation of RFC 3484 has always preferred privacy addresses when enabled, and lets the administrator enable/disable them.   Client OS's (Vista, Windows 7, etc.) have them enabled by default, but can be disabled by an enterprise administrator either manually or across the enterprise via Group Policy.   Server OS's (Server 2003, Server 2008, etc.) have them disabled by default, but can be enabled by an administrator.

-Dave

From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of Ray Hunter
Sent: Tuesday, March 27, 2012 10:00 AM
To: Brian Haberman
Cc: ipv6@ietf.org
Subject: Re: 3484bis and privacy addresses

>From the corporate World: option A as default, with local user controlled option to override.

RFC3484 (which references RFC3041) "Temporary addresses" are a menace to fault finding, audit, logging, firewall rules, filtering, QoS matching, conformance: anywhere where an ACL or stable address is used today. Sure we shouldn't use fixed/stable IP literals, but we do. And in many cases there aren't any practical alternatives in today's products, so the IP address is the lowest common denominator used to identify a machine (and dare I say even "a user" in some circumstances).

Also not sure if any DHCPv6 server implementations actually provide DHCPv6 assigned temporary addresses in practice.

My take on this is that a set of a few hundred individual persons who are worried about privacy are more likely to be able to control their own particular machines to correctly override the "default off" setting than a single corporate network manager is to be able to guarantee overriding a "default on" setting on 100% of 10000 machines attached to their network.

regards,
RayH

Brian Haberman wrote:
<div class="moz-text-flowed">All,
     The chairs would like to get a sense of the working group on changing the current (defined 3484) model of preferring public addresses over privacy addresses during the address selection process.  RFC 3484 prefers public addresses with the ability (MAY) of an implementation to reverse the preference.  The suggestion has been made to reverse that preference in 3484bis (prefer privacy addresses over public ones). Regardless, the document will allow implementers/users to reverse the default preference.

     Please state your preference for one of the following default options :

A. Prefer public addresses over privacy addresses

B. Prefer privacy addresses over public addresses

Regards,
Brian, Bob, & Ole

</div>

--
Ray Hunter
Ray.Hunter@globis.net<mailto:Ray.Hunter@globis.net>
Globis Consulting BV, Fazantlaan 23, 5613CB Eindhoven NL,
Registered at the KvK, Eindhoven, under number BV 17098279
mobile: +31 620 363864

v2.23.0 | Report a Bug | By Email