[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preshared key in ipv6



In message <15316.23604.897000.316048@gargle.gargle.HOWL>, Paul Koning writes:
>Excerpt of message (sent 22 October 2001) by dxh:
>> 	I know. But in some environments, the low 64 bits can be
>> unique. For example, if a wireless ICP can guarantee this, he can
>> use this trick for his customers.
>
>Bad design decision.
>
>Looking up a full V6 address is no harder than looking up a 64 bit
>piece.  That way you don't have to rely on unreliable assumptions.
>You don't implement a proprietary system that doesn't work when people
>outside the closed group want to communicate.  And so on.
>
>If full V6 address handling were difficult, then perhaps this sort of
>shortcut would be justified.  But there is no benefit, only problems,
>so why do it?

One problem is renumbering:  if your upstream ISP renumbers, you need 
to change your lookup tables (or, in some cases, your certificates).

The right answer is to do things based on domain name, not IP 
addresses, but that means that we *really* need DNSSEC.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com




Follow-Ups: