Harald Alvestrand a écrit :
Rémi Després wrote:
Harald Alvestrand a écrit :
Mark Andrews skrev:
You also don't want to do it as you would also need massive churn in
the DNS.
Microsoft gets this wrong as they don't register the privacy addresses
in the DNS which in turn causes services to be blocked because there
is no address in the DNS.
perhaps the advent of IPv6 will result in people finally (*finally*)
giving up on this sorry excuse for a security blanket? (calling it a
"mechanism" is too kind)
Or perhaps it'll just make people register wildcard records at the /64
level in ip6.arpa :-(
One approach to achieve it could be ias follows:
- An IPv6 link where some privacy source addresses may be used would
have in the DNS a record for a "generic privacy address".
- This address would be the /64 of the link followed by an agreed
"joker IID" (0:0:0:0 or some other to be agreed on, e.g. FFFF:0:0:0).
- Resolvers, if they recognize a privacy remote address, would query
the reverse DNS with this "generic privacy address" of the remote link.
- They could also do this type of queries after failures of full
address queries.
Problem:
Privacy addresses, as specified today, cannot be distinguished with
100% certainety from addresses obtained with stateful DHCPv6.
A proposal would be an addition to the privacy extension spec (rfc 4941).
- A variant of privacy addresses would be defined for "dsitinguishable
privacy addresses".
- These addresses would, for example, have FF00::/8 at the beginning
of their IID (no currently specified IPv6 IID begins that way;
randomness on 58 bits is good enough).
- Then resolvers could recognize such privacy addresses for sure, and
could query the reverse DNS with the generic privacy address only
when this is appropriate.
IMHO, this is a feasible step to reconcile: (1) privacy requirements
of individuals; (2) desire to know which site is at the other end
where and when such a desire exists.
My desire to have privacy is, in itself, something I may want to keep
private.
I am not sure I see the practical consequences.
If my source address says "I am someone but you will not know who I am",
isn't this sufficient?
If what you want to know is indeed "which site is at the other end",
wildcards at the /64 level will achieve that with no changes to existing
code.
I am not familiar enough with wildcard operation in the DNS.
If it provides for queries that concern only site prefixes, then you are
right: no need for an agreed "wildcard IID".
The result is the same with existing mechanisms, which is clearly better.
RD
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf