RE: 3484bis and privacy addresses

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 05 April 2012 07:01 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC9911E80F8 for <ipv6@ietfa.amsl.com>; Thu, 5 Apr 2012 00:01:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1oZMLMIuuvDT for <ipv6@ietfa.amsl.com>; Thu, 5 Apr 2012 00:01:39 -0700 (PDT)
Received: from bgl-iport-1.cisco.com (bgl-iport-1.cisco.com [72.163.197.25]) by ietfa.amsl.com (Postfix) with ESMTP id 583D011E80AB for <ipv6@ietf.org>; Thu, 5 Apr 2012 00:01:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=tireddy@cisco.com; l=10136; q=dns/txt; s=iport; t=1333609298; x=1334818898; h=mime-version:subject:date:message-id:in-reply-to: references:from:to:cc; bh=Prx8nTOFJYivrW0wbXQUym+j4gTvnz+IVd2vV/PoWvM=; b=HoREjPc7qH9DhEdVg/a/H/vdO1RyU8uufHcPtYeSxN529J7mJHLp5orc A4OtH8BXJA9mvxT/o0wDSvQF6BAX4+swa0SChpy1sQ2j4UZxXZew28f4d bnYEB2Y2aAs1D4iD2/4Yv6v/gZ5oOdW+zFC31L+28s33YdvBnBWC8+Z8P g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqAEAF5CfU9Io8UY/2dsb2JhbAA7AQmCRrcZggkBAQEEEgEJEQNJEAIBCBEEAQELBhcBBgFFCQgBAQQBCgYCCBqHbAubQJ9kiwkBhGJjBIhXjiKNOYFpgm82gRYX
X-IronPort-AV: E=Sophos;i="4.75,374,1330905600"; d="scan'208,217";a="9329834"
Received: from vla196-nat.cisco.com (HELO bgl-core-1.cisco.com) ([72.163.197.24]) by bgl-iport-1.cisco.com with ESMTP; 05 Apr 2012 07:01:36 +0000
Received: from xbh-bgl-412.cisco.com (xbh-bgl-412.cisco.com [72.163.129.202]) by bgl-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id q3571ast016278; Thu, 5 Apr 2012 07:01:36 GMT
Received: from xmb-bgl-41b.cisco.com ([72.163.129.217]) by xbh-bgl-412.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 5 Apr 2012 12:31:36 +0530
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: CB5M CQ0H ELko EVSi Ejxt G0BQ HtRS IXOw RY25 RzWc R7ow Wxtg Xlqh Ydil ZrKk aPKt; 3; YgByAGkAYQBuAEAAaQBuAG4AbwB2AGEAdABpAG8AbgBzAGwAYQBiAC4AbgBlAHQAOwBpAHAAdgA2AEAAaQBlAHQAZgAuAG8AcgBnADsAcgBhAHkALgBoAHUAbgB0AGUAcgBAAGcAbABvAGIAaQBzAC4AbgBlAHQA; Sosha1_v1; 7; {6906F1D6-4174-4B4B-A023-D68BE76C5779}; dABpAHIAZQBkAGQAeQBAAGMAaQBzAGMAbwAuAGMAbwBtAA==; Thu, 05 Apr 2012 06:59:12 GMT; UgBFADoAIAAzADQAOAA0AGIAaQBzACAAYQBuAGQAIABwAHIAaQB2AGEAYwB5ACAAYQBkAGQAcgBlAHMAcwBlAHMA
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CD12F9.F0E426DA"
x-cr-puzzleid: {6906F1D6-4174-4B4B-A023-D68BE76C5779}
Content-class: urn:content-classes:message
Subject: RE: 3484bis and privacy addresses
Date: Thu, 5 Apr 2012 12:29:12 +0530
Message-ID: <454A16E4DA86094EB66BB2C1DBBBC0180796978B@XMB-BGL-41B.cisco.com>
In-Reply-To: <4F71F217.7000209@globis.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: 3484bis and privacy addresses
Thread-Index: Ac0MPnpod08JiVUiTzCsLTHstD7KwwGtnTkA
References: <4F716D5C.40402@innovationslab.net> <4F71F217.7000209@globis.net>
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "Ray Hunter" <Ray.Hunter@globis.net>, "Brian Haberman" <brian@innovationslab.net>
X-OriginalArrivalTime: 05 Apr 2012 07:01:36.0415 (UTC) FILETIME=[F1105AF0:01CD12F9]
Cc: "Prashanth Patil \(praspati\)" <praspati@cisco.com>, ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2012 07:01:45 -0000

Firewall policies are moving towards identity (user, user-group) +
context (location, Bring your Own Device (BYOD)) attributes to enforce
appropriate policies. In enterprises hosts with EAP kind of supplicants
can be tracked even when the IP changes but for guests, BYOD without
such supplicants IP address based authentication is still required and
for such users, switches acting as DHCP relay agent can influence the
DHCP server not to assign temporary addresses
(http://tools.ietf.org/html/draft-reddy-mif-dhcpv6-precedence-ops-00)

 

Regards

Tiru.

 

From: ipv6-bounces@ietf.org [mailto:ipv6-bounces@ietf.org] On Behalf Of
Ray Hunter
Sent: Tuesday, March 27, 2012 10:30 PM
To: Brian Haberman
Cc: ipv6@ietf.org
Subject: Re: 3484bis and privacy addresses

 

>From the corporate World: option A as default, with local user
controlled option to override.

RFC3484 (which references RFC3041) "Temporary addresses" are a menace to
fault finding, audit, logging, firewall rules, filtering, QoS matching,
conformance: anywhere where an ACL or stable address is used today. Sure
we shouldn't use fixed/stable IP literals, but we do. And in many cases
there aren't any practical alternatives in today's products, so the IP
address is the lowest common denominator used to identify a machine (and
dare I say even "a user" in some circumstances).

Also not sure if any DHCPv6 server implementations actually provide
DHCPv6 assigned temporary addresses in practice.

My take on this is that a set of a few hundred individual persons who
are worried about privacy are more likely to be able to control their
own particular machines to correctly override the "default off" setting
than a single corporate network manager is to be able to guarantee
overriding a "default on" setting on 100% of 10000 machines attached to
their network.

regards,
RayH

Brian Haberman wrote: 

<div class="moz-text-flowed">All, 
     The chairs would like to get a sense of the working group on
changing the current (defined 3484) model of preferring public addresses
over privacy addresses during the address selection process.  RFC 3484
prefers public addresses with the ability (MAY) of an implementation to
reverse the preference.  The suggestion has been made to reverse that
preference in 3484bis (prefer privacy addresses over public ones).
Regardless, the document will allow implementers/users to reverse the
default preference. 

     Please state your preference for one of the following default
options : 

A. Prefer public addresses over privacy addresses 

B. Prefer privacy addresses over public addresses 

Regards, 
Brian, Bob, & Ole 

</div> 

 

-- 
Ray Hunter
Ray.Hunter@globis.net
Globis Consulting BV, Fazantlaan 23, 5613CB Eindhoven NL,
Registered at the KvK, Eindhoven, under number BV 17098279
mobile: +31 620 363864