Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text
Mark Andrews <marka@isc.org> Thu, 08 June 2017 02:13 UTC
Return-Path: <marka@isc.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6D31314D2 for <ipv6@ietfa.amsl.com>; Wed, 7 Jun 2017 19:13:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTB6WWOxjjC9 for <ipv6@ietfa.amsl.com>; Wed, 7 Jun 2017 19:13:55 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 127B61314D0 for <ipv6@ietf.org>; Wed, 7 Jun 2017 19:13:55 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0F2A63493A2; Thu, 8 Jun 2017 02:13:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EB38E160050; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D4BF6160055; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wYq-ofs2GAqj; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 88C44160050; Thu, 8 Jun 2017 02:13:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id B3C0C7B5522C; Thu, 8 Jun 2017 12:13:49 +1000 (AEST)
To: sthaug@nethelp.no
Cc: ek@google.com, job@instituut.net, ipv6@ietf.org
From: Mark Andrews <marka@isc.org>
References: <EB4E2A17-B77F-40B8-B565-B3BBC1E378B3@gmail.com> <20170607.075131.74727436.sthaug@nethelp.no> <CAAedzxqWqShdneSBVTEN=5b+KsyQdCroOoyviH9AOJKV262xyg@mail.gmail.com> <20170607.142936.74725051.sthaug@nethelp.no>
Subject: Re: Giving up security & privacy when manually configuring addresses - rfc4291bis text
In-reply-to: Your message of "Wed, 07 Jun 2017 14:29:36 +0200." <20170607.142936.74725051.sthaug@nethelp.no>
Date: Thu, 08 Jun 2017 12:13:49 +1000
Message-Id: <20170608021349.B3C0C7B5522C@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/MrgvQ1B7eYztlPvocvnAtB0Hrrg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 02:13:57 -0000
In message <20170607.142936.74725051.sthaug@nethelp.no>, sthaug@nethelp.no writ es: > > > That's precisely the point. I configure fixed addresses typically for > > > servers, and I put the addresses in the DNS. I *want* those addresses > > > to be publically known. Security and privacy is not relevant in this > > > particular case. > > > > For an authoritative server, sure. > > > > But if you're a recursive resolver then using privacy addresses while doing > > recursion (and changing the privacy addresses frequently) might indeed be > > very useful. (In fact: a unique source address per query is wonderful.) > > Different strokes for different folks. I'm fine with fixed addresses > for the query sources of my recursive resolvers, and have no plans to > change this. I have no problems with others using a unique source > address per query. And it really don't add much in terms of privacy as the /64 would be the same. Nor is it needed to combat spoofing of responses. We have DNS COOKIES for that. We are looking at removing port randomisation when talking with servers that support DNS COOKIES. Send a query with a cookie then if we don't get a cookie response resend using a random port. > Steinar Haug, AS2116 > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Giving up security & privacy when manually config… Mark Smith
- Re: Giving up security & privacy when manually co… David Farmer
- Re: Giving up security & privacy when manually co… Fred Baker
- Re: Giving up security & privacy when manually co… Job Snijders
- Re: Giving up security & privacy when manually co… Christopher Morrow
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… sthaug
- Re: Giving up security & privacy when manually co… Erik Kline
- Re: Giving up security & privacy when manually co… sthaug
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Mark Andrews
- Re: Giving up security & privacy when manually co… Nick Hilliard
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Philip Homburg
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Simon Hobson
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… Lorenzo Colitti
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Alexandre Petrescu
- Re: Giving up security & privacy when manually co… Mark Smith
- Re: Giving up security & privacy when manually co… Simon Hobson
- Re: Giving up security & privacy when manually co… Tom Herbert
- Re: Giving up security & privacy when manually co… Fernando Gont
- Re: Giving up security & privacy when manually co… Fernando Gont