The assumption that information is present only within the IP address is
This has been studied for mobile IPv6 users as well, and there is information
leakage up and down the stack.
We have local source address selection mechanisms in recent Windows versions
that use randomized IIDs on outbound connections today. This doesn't prevent
exposure of the information regarding the internal network structure, but nor
do firewalls at publically addressed IPv4 institutions today.
Putting NATs on the path just causes the device inside the network to be
unaware of its presented addresses, which means that it will impede
peer-to-peer communications, as it cannot even describe its available services
without external information services.
This is the awful situation in IPv4 today: Address scarcity is not the
problem, addressability is the problem.
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of
Sent: Tuesday, 6 December 2011 1:00 PM
Subject: Re: Netfilter (Linux) Does IPv6 NAT
Sabahattin Gucukoglu wrote:
In case you didn't see this:
It's a complete IPv6 NAT implementation with the functionality of the
IPv4 one in the same stack. ALGs. Port translation. Connection
tracking. You don't need me to tell you why I don't like this.
I fail to understand the issue that you have with this.
Doing home gateways and *NOT* using dynamic temporary IPv6 addresses
for outbound connections by default (i.e. *NO* static network prefix
that can be linked to a single ISP customer) would be extremely
irresponsible with respect to data privacy protection.
Without that, I consider IPv6 a complete no-go.
And many DSL routers are based on Linux, so having an implementation of
such a NAT is a prerequisite before IPv6 can be reasonably offered to
home customers in Europe.
I'm perfectly OK with folks getting static IPv6 network prefixes for
specific applications that desperately need it. But the default
definitely ought to be temporary dynamic IPv6 addresses, especially for
Ietf mailing list
Ietf mailing list