[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Son-of-IKE Selection Criteria?
Hallam-Baker, Phillip writes:
> Michael,
>
> Could you expand a bit more here? I do not follow IPv6 deployment is
> much detail and I suspect many other do not.
>
> What is the current staus of disposable addresses? Are they likely to be
> widely deployed? How does the mechanism work, does it depend on security
> properties in the key exchange?
With IP6, the bottom 64 bits of the unicast address
are, essentially, a host identifier. When a host
configures an interface, it generally auto-configures
its interface addresses for its link, site and global
prefixes, usually using router advertisements to figure
that out. It does this by taking the prefix and appending
on something to the lower 64 bits. Those can be be a
long-lived NAI (MAC address) which should be unique,
or the host can create a temporary address(es) if it
wants privacy. In all cases, it's required to do
duplicate address detection to check for collisions.
Theoretically, it can create as many private addresses
as it wants, as often as it wants. This is purely an
implementation issue of the host; I don't know
whether certain well known OS vendors are
implementing it in their v6 stack yet.
Now, again, I'm not sure whether that's
applicable here or not. My sense is that this
is a worthwhile general discussion since we
also should consider the implications of
multihoming, mobility and renumbering which
want to change the high 64 bits (eg, the
prefix). As far as I understand, IPsec doesn't
play very well with these (eg, would require
separate sessions). I've been meaning to bring
this up, but have been lacking on time...
Mike
References: