ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IPv6 addressing limitations (was "national security")

2003-12-02 13:03:58
from [Schiro, Dan] [Permanent Link] 
Keith,


Fortunately  the mistake is easily rectified, so long
as software doesn't get into the habit  of expecting the lower 64 bits
of an address to be a unique interface identifier. 


This is a dangerous prospect.  The company I work for makes a networking
stack and our IPv6 implementation expects the lower 64 bits to be the unique
interface identifier.  Other implementations do the same.  Now would be the
time to change the spec if its going to be done, otherwise it will already
have market penetration just like NAT.

Dan 


-----Original Message-----
From: owner-ietf(_at_)ietf(_dot_)org [mailto:owner-ietf(_at_)ietf(_dot_)org]On 
Behalf Of Keith
Moore
Sent: Tuesday, December 02, 2003 1:03 PM
To: Iljitsch van Beijnum
Cc: moore(_at_)cs(_dot_)utk(_dot_)edu; anthony(_at_)atkielski(_dot_)com; 
ietf(_at_)ietf(_dot_)org
Subject: IPv6 addressing limitations (was "national security")



RFC 3513 mandates that all unicast IPv6 addresses except the ones 
starting with the bits 000 must have a 64-bit interface identifier in 
the lower 64 bits.


This was shortsighted, just like having the notion of "class" built into
IPv4 addresses was shortsighted.  People are going to need to subnet
past /64 sooner rather than later, and subnetting past /64 is a LOT
better than NAT.  Fortunately  the mistake is easily rectified, so long
as software doesn't get into the habit  of expecting the lower 64 bits
of an address to be a unique interface identifier.  


This has some important advantages, most notably it 
allows stateless autoconfiguration. 


Providing an alternative to stateless autoconfiguration for subnets 
past /64 might be a acceptable compromise.


Putting a 64-bit crypto-based host identifier in the bottom 64 bits of

IPv6 addresses shouldn't get in the way of regular IPv6 addressing 
mechanisms and/or operation.


Putting a crypto-based host identifier in the address is unnecessary,
since there's really no need to include a strong host identifier in
every packet sent to a host.  The locator alone is usually sufficient,
and if that's not sufficient, the sender can generally encrypt the
traffic with a secret known only to the intended destination.

Keith
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: arguments against NAT?, Joe Touch
Next by Date:  Re: IPv6 addressing limitations (was "national security"), Keith Moore
Previous by Thread:  Re: IPv6 addressing limitations (was "national security"), Masataka Ohta
Next by Thread:  Re: IPv6 addressing limitations (was "national security"), Keith Moore
Indexes:  [Date] [Thread] [Top] [All Lists]