In message <4EDD894E(_dot_)6030408(_at_)gmail(_dot_)com>, Brian E Carpenter
writes:
On 2011-12-06 15:40, Martin Rex wrote:
Brian E Carpenter wrote:
Martin Rex wrote:
Sabahattin Gucukoglu wrote:
In case you didn't see this:
http://www.h-online.com/open/news/item/Netfilter-developers-working-on-N
AT-for-ip6tables-1385877.html
It's a complete IPv6 NAT implementation with the functionality of
the IPv4 one in the same stack. ALGs. Port translation. Connection
tracking. You don't need me to tell you why I don't like this.
I fail to understand the issue that you have with this.
Doing home gateways and *NOT* using dynamic temporary IPv6 addresses for
outbound connections by default (i.e. *NO* static network prefix that
can be linked to a single ISP customer)
I think you're confused. Whatever IPv6 source address is in the outgoing
packet from the CPE is bound 1:1 to the subscriber. You can't conceal
the address of the subscriber, if you ever want to get any packets back.
The outgoing packet is bound 1:1 to the ISP of the subscriber, any only
the ISP knows to which of his customers he is routing the datagrams
during any specific point in time. The DHCP lease should be 24h at most
and the ISP is bound by data protection laws to not make the mapping
publicly accessible except under very specific legal exceptions.
If you are paranoid about your IP address, that's fine. Personally, I prefer
a stable address. If your IPv6 prefix changes every day, your home network
will get renumbered every day. What does this have to do with NAT?
If you want to protect the privacy of individuals within the home (etc.)
behind the CPE, you can use IPv6 privacy addresses. But the traffic will
still be traceable back to the CPE, of course.
The so-called "IPv6 privacy addresses" are terminology fud.
No, there is no fear, uncertainty or doubt involved. If you don't want
to be traceable by your MAC address, use privacy addresses. That will
even conceal from parents which child is downloading music.
If parents want to know which child is doing what they can do that
even with privacy addresses. Privacy addresses don't change the
mac, that just don't encode the mac in the IPv6 address. If the
kids start playing mac games use 802.1x.
I hope you aren't under the illusion that NAT44 in CPE provides any
privacy.
For my ISP (and it seems to be the norm for german home customers),
that is not an illusion, but rather a feature.
You mean there is a privacy benefit in translating some address such
as 10.1.1.2 into a routeable IPv4 address that can, as you say, be traced
back to you even if it changes every day?
You'll have to explain that.
Brian
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf