[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 64-bit identifiers
At 19:10 09/08/01, you wrote:
>The low-order 64 bits of an IPv6 "privacy" address *is* probabilistically
>unique, given that it's a pseudo-randomly-generated 64-bit number.
We disagree on the math here. My analysis, based in part on discussions
with some folks who have running code for hosts, is that the low-order
bits in the "privacy" case will probably collide frequently.
In particular, approaches that use the MAC of the NIC card as seed
will usually generate visibly more collisions than those that start
with an appropriate number of Heisenberg-quality random bits (RFC-1750).
The former appears to be a common approach, the latter very uncommon.
Along similar lines, a common issue with IPsec implementations is
that most folks don't understand randomness issues and how to
implement them properly (despite RFC-1750's specific advice).
As I noted earlier, this isn't a criticism or anything necessarily bad,
it is merely the reality of the situation we have on the ground.
Folks need to design accordingly.
>How low does the probability of collision have to be for your purposes?
Very low. Not zero. For example, one could live with collisions with
the same frequency that one would happen to get two different NIC cards
with the same burned-in MAC address (e.g. due to factory error).
Ran
rja@inet.org