[143241] in North American Network Operators' Group
Re: dynamic or static IPv6 prefixes to residential customers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Aug 3 16:16:14 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <12577234.405.1312393991908.JavaMail.root@benjamin.baylink.com>
Date: Wed, 3 Aug 2011 13:14:52 -0700
To: Jay Ashworth <jra@baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_A08F5C81-EA65-480D-BFEB-C18AEBEA15F9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Aug 3, 2011, at 10:53 AM, Jay Ashworth wrote:
> ----- Original Message -----
>> From: "Owen DeLong" <owen@delong.com>
>=20
>> On Aug 3, 2011, at 6:55 AM, Jay Ashworth wrote:
>>> You guys aren't *near* paranoid enough. :-)
>>>=20
>>> If the ISP
>>>=20
>>> a) Assigns dynamic addresses to customers, and
>>> b) changes those IPs on a relatively short scale (days)
>>>=20
>>> then
>>>=20
>>> c) outside parties *who are not the ISP or an LEO* will have a
>>> relatively harder time tying together two visits solely by the IP
>>> address.
>>=20
>> ROFL... Yeah, right... Because the MAC suffix won't do anything.
>=20
> Did I mention I haven't implemented v6 yet? :-)
>=20
No, you didn't. Perhaps you should spend some time learning about
it before you opine on how it should or should not be implemented.
FWIW, I have implemented IPv6 in multiple organizations, including
my home where I've been running with it for several years.
> *Really*? It bakes the endpoint MAC into the IP? Well, that's =
miserably
> poor architecture design.
>=20
It can and it is a common default. It is not required.
It's actually rather elegant architecture design for the goals it was
implemented to accomplish.
>>> While this isn't "privacy", per se, that "making harder" is at least
>>> somewhat useful to a client in reducing the odds that such
>>> non-ISP/LEO
>>> parties will be unable to tie their visits, assuming they've
>>> controlled
>>> the items they *can* control (cookies, flash cookies, etc).
>>=20
>> Which is something, what, 1% of people probably even know how to do,
>> let alone practice on a regular basis.
>=20
> Yup; let's go out of our way to penalize the smart people; that's a=20
> *great* plan; I so enjoy it when people do it -- and they do it *far*
> too often for my tastes.
>=20
No, my point is that if you use RFC-4193, there's not really much =
benefit
from altering the prefix, so, nobody gets penalized and you can still =
have
static addresses.
Further, I consider myself relatively smart and by not having static =
prefixes,
you're blocking things I want, so, arguably dynamic prefixes also =
penalize
the smart people.
>>> Imperfect security !=3D no security, *as long as you know where the
>>> holes are*.
>>=20
>> If people want this, they can use RFC-4193 to just about the same
>> effect. The ISP modifying the prefix regularly simply doesn't do =
much.
>=20
> I'll make a note of it.
>=20
Let me know if you have further questions.
Owen
--Apple-Mail=_A08F5C81-EA65-480D-BFEB-C18AEBEA15F9
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIERDCCBEAw
ggOpoAMCAQICARQwDQYJKoZIhvcNAQEFBQAwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTER
MA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoTEURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxE
ZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJ
KoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tMB4XDTA2MTIxNjE2MzcxN1oXDTE2MTIxMzE2MzcxN1ow
fTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzEP
MA0GA1UECxMGUGVyc29uMRQwEgYDVQQDEwtPd2VuIERlTG9uZzEeMBwGCSqGSIb3DQEJARYPb3dl
bkBkZWxvbmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7H7JBEUaAy56E6qY
0JoHKfI+6QT7hYjnc1JezeZOA5XxK7QERkx8rdcND47xeNXjw06ZMjfhrcGkxM+1PEatBxC1Aax1
V95fKtw0DkNMKRgH138E6mZhwuWsvcA1bhxJQQc++SumEX5Uyr5dX4jYy2WgmaLKc8TD/N5G+/zb
Rc1sLrznovNvv7daKfDFlufRkPnLpeG0gx/HIFa4csMNYH2rdLt2xUBAt4TSy3fjEbp0HFVRJI4G
QRHbMmb6tBMnT9vpUZrwMHydqHHTiGr2A8PgdQeQLNEknKynVFTjJIXhBUSINhCl2HtQA+TKv+gu
EF9HrIybZSDlhGym0JUgKwIDAQABo4IBIDCCARwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUzaaV8BC8
UhxaWk6IQTpqK9mLnSgwgdMGA1UdIwSByzCByIAU15gTZIxt8E1K2l0KkjrRFpdc5eyhgaykgakw
gaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoT
EURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxEZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJKoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tggEA
MBoGA1UdEQQTMBGBD293ZW5AZGVsb25nLmNvbTANBgkqhkiG9w0BAQUFAAOBgQCWRsD48eQfaNKH
K2lohMTD9voszp/GuoWTyi6RckNxW0b0V0gv7ZGH1BUmgq2Jt7SjIis7vTY3FCZUDcR9e7fpBXJL
/euk2pPEBSHbCWAYO+uFeZ17UHz0WtInBB7Yo2EHUrkf4jeJDL7rHOG5YOVQzoV1+vdFkmQvPCPX
zPyYyzGCA7cwggOzAgEBMIGsMIGmMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExETAPBgNVBAcT
CFNhbiBKb3NlMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzElMCMGA1UECxMcRGVMb25nIENl
cnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEAxMNY2EuZGVsb25nLmNvbTEcMBoGCSqGSIb3DQEJ
ARYNY2FAZGVsb25nLmNvbQIBFDAJBgUrDgMCGgUAoIIB3zAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA4MDMyMDE0NTNaMCMGCSqGSIb3DQEJBDEWBBRV1pBNqPxH
Mit6BAm/wR4KA0K0QjCBvQYJKwYBBAGCNxAEMYGvMIGsMIGmMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExETAPBgNVBAcTCFNhbiBKb3NlMRowGAYDVQQKExFEZUxvbmcgQ29uc3VsdGluZzElMCMG
A1UECxMcRGVMb25nIENlcnRpZmljYXRlIEF1dGhvcml0eTEWMBQGA1UEAxMNY2EuZGVsb25nLmNv
bTEcMBoGCSqGSIb3DQEJARYNY2FAZGVsb25nLmNvbQIBFDCBvwYLKoZIhvcNAQkQAgsxga+ggaww
gaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1UEBxMIU2FuIEpvc2UxGjAYBgNVBAoT
EURlTG9uZyBDb25zdWx0aW5nMSUwIwYDVQQLExxEZUxvbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MRYwFAYDVQQDEw1jYS5kZWxvbmcuY29tMRwwGgYJKoZIhvcNAQkBFg1jYUBkZWxvbmcuY29tAgEU
MA0GCSqGSIb3DQEBAQUABIIBANd7Ak/0PLVz+UV3lA18LETBoKtFgxMLhZ/717+q53klNMfO2W/2
tt1vh8Rzt8EHrDzuZYDC6ts9fyqxvoOfFh9eBnsNO1Ybix9cqH1gvBzoWcoS4GvAHOVj+BbjuzSv
dY4YuYVuKhM41tOhlJcWJPsw7I3Ha1TceyNRc57OUPnNczxkMUm/HoEVZQoCP7EkMTzuHfjvJ9ej
KhBuE1tFBVau1fReTAcyXL32ZP4Kc/Kxcs66M01VRj15lcUIll9evjttKSmgFYZ58ik0MmmkMNSN
IpaIUvCrTjPOv3yAI3Cc92DgLFJmMgN2Fhsa1lZ3fqxN2QihV7ZUa+mToNFXUnEAAAAAAAA=
--Apple-Mail=_A08F5C81-EA65-480D-BFEB-C18AEBEA15F9--
