IETF Logo Mail Archive

Re: draft-gont-6man-managing-privacy-extensions-00.txt

Doug Barton <dougb@dougbarton.us> Sun, 13 March 2011 00:49 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 938183A6A9D for <ipv6@core3.amsl.com>; Sat, 12 Mar 2011 16:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.581
X-Spam-Level:
X-Spam-Status: No, score=-2.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbMQO2U2bmv1 for <ipv6@core3.amsl.com>; Sat, 12 Mar 2011 16:49:02 -0800 (PST)
Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by core3.amsl.com (Postfix) with ESMTP id B3B8C3A6A84 for <ipv6@ietf.org>; Sat, 12 Mar 2011 16:49:01 -0800 (PST)
Received: (qmail 24320 invoked by uid 399); 13 Mar 2011 00:50:17 -0000
Received: from router.ka9q.net (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@75.60.237.91) by mail2.fluidhosting.com with ESMTPAM; 13 Mar 2011 00:50:17 -0000
X-Originating-IP: 75.60.237.91
X-Sender: dougb@dougbarton.us
Message-ID: <4D7C14C7.4020508@dougbarton.us>
Date: Sat, 12 Mar 2011 16:50:15 -0800
From: Doug Barton <dougb@dougbarton.us>
Organization: http://SupersetSolutions.com/
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.15) Gecko/20110304 Thunderbird/3.1.9
MIME-Version: 1.0
To: Christian Huitema <huitema@microsoft.com>
Subject: Re: draft-gont-6man-managing-privacy-extensions-00.txt
References: <7111FC5F-BC3F-4242-9C3F-037E79894749@gmail.com> <alpine.DEB.1.10.1103091212570.7942@uplift.swm.pp.se> <4D77CBB9.1080702@gmail.com> <233b01cbdef5$8e214550$aa63cff0$@com> <25B3D469-F3DA-4A1D-A462-FEB71FA69485@gmail.com> <091D1284-99E4-450E-8AFF-7D4C6310D760@apple.com> <78B923726E7D59429936580CF127E943A13E758C27@eu1rdcrdc1wx032.exi.nxp.com> <262f01cbdf5d$607c69f0$21753dd0$@com> <4D7C0EE5.2080405@gont.com.ar> <22F6318E46E26B498ABC828879B08D4F0C2420@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <22F6318E46E26B498ABC828879B08D4F0C2420@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
X-Enigmail-Version: 1.1.2
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2011 00:49:03 -0000

On 03/12/2011 16:44, Christian Huitema wrote:
>> It doesn't. The I-D aims at allowing routers specify which policy they want hosts to employ when generating their IPv6 addresses.
>
> Uh? I definitely don't want to give the router at Starbucks the means to specify the privacy configuration of my laptop.
>
> I understand that corporation want to enforce policies so PC and routers are easier to manage, but we have to be careful. If we define that policy as part of the address configuration standard, then it will apply everywhere, not just in the corporate network where the laptop is managed. That seems a terrible idea.
>
> If we want policy options to be applied safely, they have to be propagated by trusted mechanism, where the host can verify the authority of the policy source. Anything else is abuse waiting to happen.

Please consider this my periodic repetition of support for what 
Christian is saying here, along with my periodic repetition of 
opposition to (further) modifying RA/SLAAC to do things that DHCP 
can/does do, or should be doing.

And to state publicly something that I discussed in private, I'm 
completely unsympathetic to the viewpoint that "we need to show to the 
auditors that we tried to prevent hosts from doing bad things" in the 
absence of rigorous security steps to _actually_ prevent them.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

v2.23.0 | Report a Bug | By Email