IETF Logo Mail Archive

Re: addrsel: privacy addresses within/out of a site

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 03 January 2011 19:28 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A6453A6B13 for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 11:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.123
X-Spam-Level:
X-Spam-Status: No, score=-103.123 tagged_above=-999 required=5 tests=[AWL=-0.124, BAYES_00=-2.599, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvD7QdCMODqq for <ipv6@core3.amsl.com>; Mon, 3 Jan 2011 11:28:39 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id DC2283A6B12 for <ipv6@ietf.org>; Mon, 3 Jan 2011 11:28:38 -0800 (PST)
Received: by fxm9 with SMTP id 9so13323408fxm.31 for <ipv6@ietf.org>; Mon, 03 Jan 2011 11:30:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=aCpEh/OCKhMLPS8eX1FV1OS9S93Ow1QbqRkLq5pmDRA=; b=vMj6uGuqYXzJnZA4dDoFsJi7TOYvD/X8d07dlf/k4sr2Vqz9xSk/5dlq1pRl4Didje xZXxmzlXLyW0sqboHeerOGest5jX/WGTonJ5/pTtHePQEgfR2pShj6x9n0h0Uk+9BZfh qKzsQNMpOFdcTIK9Rncrt8iIDxGzVDTUQMDXA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=DLPgv3OyX12ID+s5Pn5LDAjhGT0qDm7+Eo1rnBlNEGDL3pWnjRYnTv2I/4n8eiUocT EfWnUJEcAG1UF3iZkpjzruwZdA8YF/B+vbBpCK06414A30rDXkUFdHfVrYaG3ko7rAs3 I+hG3ciwKnnL5T73tjtWGgxlRY1PABR9oid/g=
Received: by 10.223.87.14 with SMTP id u14mr5039359fal.116.1294083045369; Mon, 03 Jan 2011 11:30:45 -0800 (PST)
Received: from [10.1.1.4] ([121.98.190.33]) by mx.google.com with ESMTPS id 5sm4892063fak.23.2011.01.03.11.30.41 (version=SSLv3 cipher=RC4-MD5); Mon, 03 Jan 2011 11:30:44 -0800 (PST)
Message-ID: <4D2223DB.1000708@gmail.com>
Date: Tue, 04 Jan 2011 08:30:35 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: addrsel: privacy addresses within/out of a site
References: <alpine.LRH.2.02.1101031151250.23654@netcore.fi> <20110103204031.0c3589b7@opy.nosense.org> <alpine.LRH.2.02.1101031213060.23654@netcore.fi>
In-Reply-To: <alpine.LRH.2.02.1101031213060.23654@netcore.fi>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jan 2011 19:28:40 -0000

Pekka,

Wouldn't the rule "Use ULA prefix inside the site and PA prefix (with
privacy addresses if desired) otherwise" be simpler? And, by default,
it would prevent the "inside" address being exported by mistake.

Regards
   Brian


On 2011-01-03 23:21, Pekka Savola wrote:
> On Mon, 3 Jan 2011, Mark Smith wrote:
>>> "do not use privacy addresses when communicating inside the site [a
>>> set of
>>> designated destination prefixes], use it by default otherwise"
>>>
>>
>> I'd be curious what the benefits are.
>>
>> The only reason I could think of as to why to do this is to be able to
>> associate internal application access logs with internal hosts. At face
>> value that sounds useful, however if you really care about auditing
>> application access and use, it isn't the hosts you need to worry about,
>> but the people behind them - and they can usually easily change hosts.
>> So I think those applications should be using proper AAA to identify the
>> user, rather than using IPv6 host identifiers as very poor substitutes
>> for user identities.
> 
> One use case is administrators running ssh, vnc or some such remote
> management to the client OS.  The conclusion from looking at various
> similar cases was that systems need to have a well-known (non-privacy)
> IP where they can be reached and run TCP services at, or the privacy IP
> needs to be stored in DNS (not much point in that..).
> 
> Also, many site-internal access control mechanisms (for example,
> hosts.allow for ssh, some others for e.g. web browsing) use
> host-specific IPs in addition to other checks.  In some cases these
> could be substituted with stronger upper-layer identities e.g with
> certificates.
> 
> On the other hand, user identification due to static EU64 is a little
> bit of concern e.g. with web surfing, but this also applies to other
> applications so the issue does not go away with application-specific
> tuning.
>

v2.23.0 | Report a Bug | By Email