Home page logo
/

nanog logo nanog mailing list archives

Re: dynamic or static IPv6 prefixes to residential customers
From: Owen DeLong <owen () delong com>
Date: Wed, 3 Aug 2011 13:14:52 -0700


On Aug 3, 2011, at 10:53 AM, Jay Ashworth wrote:

----- Original Message -----
From: "Owen DeLong" <owen () delong com>

On Aug 3, 2011, at 6:55 AM, Jay Ashworth wrote:
You guys aren't *near* paranoid enough. :-)

If the ISP

a) Assigns dynamic addresses to customers, and
b) changes those IPs on a relatively short scale (days)

then

c) outside parties *who are not the ISP or an LEO* will have a
relatively harder time tying together two visits solely by the IP
address.

ROFL... Yeah, right... Because the MAC suffix won't do anything.

Did I mention I haven't implemented v6 yet? :-)


No, you didn't. Perhaps you should spend some time learning about
it before you opine on how it should or should not be implemented.

FWIW, I have implemented IPv6 in multiple organizations, including
my home where I've been running with it for several years.

*Really*?  It bakes the endpoint MAC into the IP?  Well, that's miserably
poor architecture design.


It can and it is a common default. It is not required.

It's actually rather elegant architecture design for the goals it was
implemented to accomplish.

While this isn't "privacy", per se, that "making harder" is at least
somewhat useful to a client in reducing the odds that such
non-ISP/LEO
parties will be unable to tie their visits, assuming they've
controlled
the items they *can* control (cookies, flash cookies, etc).

Which is something, what, 1% of people probably even know how to do,
let alone practice on a regular basis.

Yup; let's go out of our way to penalize the smart people; that's a 
*great* plan; I so enjoy it when people do it -- and they do it *far*
too often for my tastes.


No, my point is that if you use RFC-4193, there's not really much benefit
from altering the prefix, so, nobody gets penalized and you can still have
static addresses.

Further, I consider myself relatively smart and by not having static prefixes,
you're blocking things I want, so, arguably dynamic prefixes also penalize
the smart people.

Imperfect security != no security, *as long as you know where the
holes are*.

If people want this, they can use RFC-4193 to just about the same
effect. The ISP modifying the prefix regularly simply doesn't do much.

I'll make a note of it.


Let me know if you have further questions.

Owen

Attachment: smime.p7s
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault