RE: Comments on draft-nordmark-multi6-threats-01

["Christian Huitema" <huitema@windows.microsoft.com>]

> > Yes, and we should make it very clear that an identifier that can be
> > used on one interface (physical or otherwise) MUST also be usable as
an
> > identifier on any other interface (physical or otherwise) that the
> > system has available. Identifiers should be tied to hosts, not to
> > interfaces.
> 
> Seems like we all agree.

If by identifiers you mean the last 64 bits of an IPv6 address, then I
certainly disagree. Mandating that hosts should use the same bottom 64
bits on every interface would have some severe privacy implications. The
basic assumption should be that third parties should not be able to
correlate addresses/locators used on different interfaces or on
different networks without the host consent. 
 
> > On a related note: the SEND CGA stuff mandates using the subnet
prefix
> > in creating the interface identifier and as such makes it impossible
to
> > have the same interface identifier in different subnets. I was
unable
> > to convince them of the error of their ways and apparently there was
no
> > IETF last call or I missed it so now this stupidity is an RFC. We
> > should do our best to make sure there isn't any more of this.
> 
> It isn't necessarily a bug to have *interface* identifiers that are
> tied to interfaces, even though we want to have stack names or host
> identifiers that are not.

I think SEND is doing the exact right thing, from a privacy and security
point of view.

-- Christian Huitema