Re: Feedback on draft-gont-6man-stable-privacy-addresses-01

Fernando Gont <> Sat, 14 April 2012 14:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7855221F85EF for <>; Sat, 14 Apr 2012 07:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, MANGLED_BELOW=2.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GqxFQ1wccbbo for <>; Sat, 14 Apr 2012 07:34:00 -0700 (PDT)
Received: from (unknown [IPv6:2a02:27f8:1025:18::232]) by (Postfix) with ESMTP id F19CE21F85E7 for <>; Sat, 14 Apr 2012 07:33:59 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <>) id 1SJ432-0007et-4L; Sat, 14 Apr 2012 16:33:56 +0200
Message-ID: <>
Date: Sat, 14 Apr 2012 16:09:33 +0200
From: Fernando Gont <>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Tim Chown <>
Subject: Re: Feedback on draft-gont-6man-stable-privacy-addresses-01
References: <> <1334276068.3945.408.camel@karl> <> <1334363774.3945.541.camel@karl> <> <EMEW3|289e913e0066f2de615a1e1b85762bcbo3DBUc03tjc||>
In-Reply-To: <EMEW3|289e913e0066f2de615a1e1b85762bcbo3DBUc03tjc||>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: 6man Mailing List <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 14 Apr 2012 14:34:00 -0000

On 04/14/2012 12:30 PM, Tim Chown wrote:
> I while ago I put this one forward, which is an alternative to
> Fernando's suggestion that you have to set the whole address:
>  This was based on existing implementations, in Solaris and Linux (as
> a demonstrator), with the potential for simpler renumbering in mind.

Does this really help renumbering? e.g., if you have ACLs, they are
based on the whole IPv6 address, rather than on the IID...

> It's probably the complete antithesis of what Fernando is trying to
> achieve, but is aimed at the type of (server) systems that would
> probably be DNS-advertised anyway.

Note that having an address advertised in the DNS does not necessarily
means that predictable addresses are not useful to an attacker.

For example, let's assume that you know that a network link hosts 100
different servers, each with a different domain.

If their addresses are not predictable, and the attacker wants to find
all of them, he may have to rely on a "dictionary" attack. However, if
the addresses *are* predictable, he could just sweep the interested part
of the address space.

Note: I still don't understand the use case for this technology, or how
the IIDs would be selected (but since they seem to be
manually-generated, I'd expect them to be "low-byte", such as ::1, ::2,


Best regards,
Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492