Re: 3484bis and privacy addresses
Ray Hunter <v6ops@globis.net> Fri, 06 April 2012 09:30 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B3821F863E for <ipv6@ietfa.amsl.com>; Fri, 6 Apr 2012 02:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rg-fZBsMGaNJ for <ipv6@ietfa.amsl.com>; Fri, 6 Apr 2012 02:30:20 -0700 (PDT)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 0B07C21F8603 for <ipv6@ietf.org>; Fri, 6 Apr 2012 02:30:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 8EF398700EE; Fri, 6 Apr 2012 11:30:16 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HsXijrLkx3G; Fri, 6 Apr 2012 11:30:07 +0200 (CEST)
Received: from Rays-iMac.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id E278E8700EA; Fri, 6 Apr 2012 11:30:06 +0200 (CEST)
Message-ID: <4F7EB79D.8010207@globis.net>
Date: Fri, 06 Apr 2012 11:30:05 +0200
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.3 (Macintosh/20120304)
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: 3484bis and privacy addresses
References: <4F716D5C.40402@innovationslab.net> <4F71F217.7000209@globis.net> <454A16E4DA86094EB66BB2C1DBBBC0180796978B@XMB-BGL-41B.cisco.com>
In-Reply-To: <454A16E4DA86094EB66BB2C1DBBBC0180796978B@XMB-BGL-41B.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Prashanth Patil (praspati)" <praspati@cisco.com>, Brian Haberman <brian@innovationslab.net>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2012 09:30:20 -0000
Interesting draft. Thanks. The elephant in the room is that DHCPv6 clients are still not deployed on all end nodes that would benefit from it. Many other 6man drafts, such as draft-ietf-6man-addr-select-opt-03 also rely on DHCPv6. Let's hope that the market now manages toquickly resolve what the IETF has not managed to resolve in over 10 years of discussion, and selects a universally available communication channel for passing configuration hints between the network and end nodes that move between networks. Otherwise changing default behavior (like being discussed in the update from 3484 to 3484bis), or implementing new features in 6man, will likely make migration to IPv6 duringdual stack operation harder, or break existing stuff, or both. regards, RayH > Tirumaleswar Reddy (tireddy) <mailto:tireddy@cisco.com> > 5 April 2012 08:59 > > Firewall policies are moving towards identity (user, user-group) + > context (location, Bring your Own Device (BYOD)) attributes to enforce > appropriate policies. In enterprises hosts with EAP kind of > supplicants can be tracked even when the IP changes but for guests, > BYOD without such supplicants IP address based authentication is still > required and for such users, switches acting as DHCP relay agent can > influence the DHCP server not to assign temporary addresses > (http://tools.ietf.org/html/draft-reddy-mif-dhcpv6-precedence-ops-00) > > Regards > > Tiru. > > *From:*ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] *On Behalf > Of *Ray Hunter > *Sent:* Tuesday, March 27, 2012 10:30 PM > *To:* Brian Haberman > *Cc:* ipv6@ietf.org > *Subject:* Re: 3484bis and privacy addresses > > From the corporate World: option A as default, with local user > controlled option to override. > > RFC3484 (which references RFC3041) "Temporary addresses" are a menace > to fault finding, audit, logging, firewall rules, filtering, QoS > matching, conformance: anywhere where an ACL or stable address is used > today. Sure we shouldn't use fixed/stable IP literals, but we do. And > in many cases there aren't any practical alternatives in today's > products, so the IP address is the lowest common denominator used to > identify a machine (and dare I say even "a user" in some circumstances). > > Also not sure if any DHCPv6 server implementations actually provide > DHCPv6 assigned temporary addresses in practice. > > My take on this is that a set of a few hundred individual persons who > are worried about privacy are more likely to be able to control their > own particular machines to correctly override the "default off" > setting than a single corporate network manager is to be able to > guarantee overriding a "default on" setting on 100% of 10000 machines > attached to their network. > > regards, > RayH > > Brian Haberman wrote: > > <div class="moz-text-flowed">All, > The chairs would like to get a sense of the working group on > changing the current (defined 3484) model of preferring public > addresses over privacy addresses during the address selection > process. RFC 3484 prefers public addresses with the ability (MAY) of > an implementation to reverse the preference. The suggestion has been > made to reverse that preference in 3484bis (prefer privacy addresses > over public ones). Regardless, the document will allow > implementers/users to reverse the default preference. > > Please state your preference for one of the following default > options : > > A. Prefer public addresses over privacy addresses > > B. Prefer privacy addresses over public addresses > > Regards, > Brian, Bob, & Ole > > </div> > > -- > > Ray Hunter <mailto:Ray.Hunter@globis.net> > 27 March 2012 19:00 > From the corporate World: option A as default, with local user > controlled option to override. > > RFC3484 (which references RFC3041) "Temporary addresses" are a menace > to fault finding, audit, logging, firewall rules, filtering, QoS > matching, conformance: anywhere where an ACL or stable address is used > today. Sure we shouldn't use fixed/stable IP literals, but we do. And > in many cases there aren't any practical alternatives in today's > products, so the IP address is the lowest common denominator used to > identify a machine (and dare I say even "a user" in some circumstances). > > Also not sure if any DHCPv6 server implementations actually provide > DHCPv6 assigned temporary addresses in practice. > > My take on this is that a set of a few hundred individual persons who > are worried about privacy are more likely to be able to control their > own particular machines to correctly override the "default off" > setting than a single corporate network manager is to be able to > guarantee overriding a "default on" setting on 100% of 10000 machines > attached to their network. > > regards, > RayH > >
- Re: 3484bis and privacy addresses Jong-Hyouk Lee
- 3484bis and privacy addresses Brian Haberman
- Re: 3484bis and privacy addresses JORDI PALET MARTINEZ
- Re: 3484bis and privacy addresses Arifumi Matsumoto
- Re: 3484bis and privacy addresses Basavaraj.Patil
- Re: 3484bis and privacy addresses Tassos Chatzithomaoglou
- Re: 3484bis and privacy addresses Teemu Savolainen
- Re: 3484bis and privacy addresses Francis Dupont
- Re: 3484bis and privacy addresses JORDI PALET MARTINEZ
- Re: 3484bis and privacy addresses Mohacsi Janos
- Re: 3484bis and privacy addresses Tim Chown
- Re: 3484bis and privacy addresses Roland Bless
- RE: 3484bis and privacy addresses Samita Chakrabarti
- RE: 3484bis and privacy addresses Eric Vyncke (evyncke)
- Re: 3484bis and privacy addresses Simon Perreault
- Re: 3484bis and privacy addresses Alex Abrahams
- Re: 3484bis and privacy addresses Tina TSOU
- RE: 3484bis and privacy addresses Wuyts Carl
- Re: 3484bis and privacy addresses Karl Auer
- Re: 3484bis and privacy addresses Karl Auer
- Re: 3484bis and privacy addresses Fernando Gont
- Re: 3484bis and privacy addresses Francis Dupont
- Re: 3484bis and privacy addresses Fernando Gont
- Re: 3484bis and privacy addresses Brian Haberman
- Re: 3484bis and privacy addresses Fernando Gont
- Re: 3484bis and privacy addresses Ray Hunter
- Re: 3484bis and privacy addresses Fernando Gont
- Re: 3484bis and privacy addresses Ray Hunter
- RE: 3484bis and privacy addresses Manfredi, Albert E
- Re: 3484bis and privacy addresses Sander Steffann
- Re: 3484bis and privacy addresses Dominik Elsbroek
- Re: 3484bis and privacy addresses Karl Auer
- RE: 3484bis and privacy addresses STARK, BARBARA H
- RE: 3484bis and privacy addresses Karl Auer
- Re: 3484bis and privacy addresses Brian E Carpenter
- Re: 3484bis and privacy addresses Roger Jørgensen
- Re: 3484bis and privacy addresses Francis Dupont
- Re: 3484bis and privacy addresses jonne.soininen
- Re: Re: 3484bis and privacy addresses Ray Hunter
- Re: 3484bis and privacy addresses Doug Barton
- Re: 3484bis and privacy addresses t.petch
- Re: 3484bis and privacy addresses Alex Abrahams
- Re: 3484bis and privacy addresses Doug Barton
- Re: 3484bis and privacy addresses Mark Andrews
- Re: 3484bis and privacy addresses Fernando Gont
- RE: 3484bis and privacy addresses Dave Thaler
- Re: 3484bis and privacy addresses Ray Hunter
- Re: 3484bis and privacy addresses JINMEI Tatuya / 神明達哉
- Re: 3484bis and privacy addresses james woodyatt
- RE: 3484bis and privacy addresses Tirumaleswar Reddy (tireddy)
- Re: 3484bis and privacy addresses Ray Hunter
- RE: 3484bis and privacy addresses Dave Thaler
- Re: 3484bis and privacy addresses Brian E Carpenter
- RE: 3484bis and privacy addresses Dave Thaler
- Re: RE: 3484bis and privacy addresses Ray Hunter
- RE: RE: 3484bis and privacy addresses Dave Thaler
- Re: 3484bis and privacy addresses Ray Hunter
- RE: 3484bis and privacy addresses Dave Thaler
- Re: 3484bis and privacy addresses Ray Hunter
- RE: 3484bis and privacy addresses Dave Thaler
- RE: 3484bis and privacy addresses Dave Thaler
- Re: RE: 3484bis and privacy addresses Ray Hunter
- Re: 3484bis and privacy addresses Arifumi Matsumoto