This is a retransmission with a source address accepted on this
Apologies to those who received it already.
If you respond, please use preferably this copy.
Harald Alvestrand wrote:
One approach to achieve it could be ias follows:
Mark Andrews skrev:
You also don't want to do it as you would also need massive churn in
Microsoft gets this wrong as they don't register the privacy addresses
in the DNS which in turn causes services to be blocked because there
is no address in the DNS.
perhaps the advent of IPv6 will result in people finally (*finally*)
giving up on this sorry excuse for a security blanket? (calling it a
"mechanism" is too kind)
Or perhaps it'll just make people register wildcard records at the /64
level in ip6.arpa :-(
- An IPv6 link where some privacy source addresses may be used would
have in the DNS a record for a "generic privacy address".
- This address would be the /64 of the link followed by an agreed
"joker IID" (0:0:0:0 or some other to be agreed on, e.g. FFFF:0:0:0).
- Resolvers, if they recognize a privacy remote address, would query
the reverse DNS with this "generic privacy address" of the remote link.
- They could also do this type of queries after failures of full
Privacy addresses, as specified today, cannot be distinguished with
100% certainety from addresses obtained with stateful DHCPv6.
A proposal would be an addition to the privacy extension spec (rfc
- A variant of privacy addresses would be defined for "dsitinguishable
- These addresses would, for example, have FF00::/8 at the beginning
of their IID (no currently specified IPv6 IID begins that way;
randomness on 58 bits is good enough).
- Then resolvers could recognize such privacy addresses for sure, and
could query the reverse DNS with the generic privacy address only when
this is appropriate.
IMHO, this is a feasible step to reconcile: (1) privacy requirements of
individuals; (2) desire to know which site is at the other end where
and when such a desire exists.
IETF mailing list