RE: stable vs address-derived v6 prefix [Re: v6 deployment in general [Re: tunnel broker deployment [RE: Tunneling scenarios and mechanisms evaluation]]]

["Jeroen Massar" <jeroen@unfix.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erik Nordmark wrote:

<SNIP>

> I personally prefer "sufficiently secure" over the "no need 
> to register"
> given the world we live in today.
> And lots of people seem to think it is ok to register to get
> a free email account at yahoo, hotmail, etc.
> Why do we think asking them to do the same thing to enable the cool
> applications running on IPv6 is out of the question?

Requiring a signup and user address/info details cuts down
on the abuse with huge hops. Indeed it is very easy for
most people to sign up for things like Yahoo/MSN/... etc
thus signing up for a TB service shouldn't be that hard either.
I also think that that is more like a political thing and
not a protocol thing. We could look at it from a protocol side
by creating a protocol which standardizes registration and
then having a standard tool that does that part for them.
But many services would not like that as they want to
show their big flashy spammy logo's just to advertise themselves
even though the service is free you want some feedback.

> > I think the critical point here is whether we require this
> > registration protocol / user authentication in the mechanism, or
> > whether it's an optional step.  IMHO, we must not require that.
> 
> I actually think it is a mistake to define mechanisms that are *not
> capable* of doing registration with the same type of 
> "tracability" that is done to sign up for a free email account.
> Whether different ISPs want to *use* that mechanism would be 
> up to them.
> But without them in the specifications and as mandatory to implement
> we can easily end up with IPv6(transition) being perceived as 
> less secure than IPv4.

ISP's should decide for themselves if they want to require
user authentication and registration. Freenet6 for instance
is quite public and anonymous and thus has a big load of
users. SixXS requires that every single user that wants a
tunnel supplies us with full name and address details including
a valid phonenumber, we decided on this for one prime reason:
cutting down on the abuse. It's simply not feasible in our eyes
to run a public and free service when jane doe can come in and
abuse it, mostly happening on IRC, which will only make ones
service unusable and thus totally useless. Many TB's have
disabled port 6600-7000 connectivity because of that too.
At least that is my point of view.

Thus: a protocol should make it possible to have anonymous
_and_ authenticated mechanisms, per choice of the entity
deploying the mechanism. The anonymous mechanisms could use
some kind of cookie method to allow the user to 'autoregister'
and when they come back present the cookie and allowing them
to get their former prefix back, add a lifetime to that and
we have a transition-dhcp protocol. Cookies should not rely
on the IPv4 address as that might change. I am a proponent
of stable addresses btw, thus having the above for anonymous
users helps dealing with that. Also rfc3041 is not for me ;)

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook
Comment: Jeroen Massar / http://unfix.org/~jeroen/

iQBGBAERAgAQCRApqihSMz58IwUCQFutJAAAjMEAoIxwcBYAhz+B9pOPyHEMZ3tP
4B+PAJ9HqorF5t8ONKDtoVS23L//0zQSIg==
=gLdl
-----END PGP SIGNATURE-----