[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 w.g. Last Call on "IPv6 Node Information Queries"



On Fri, 11 Jul 2003, Michael Hunter wrote:
> On Fri, 11 Jul 2003 22:40:29 +0300 (EEST)
> Pekka Savola <pekkas@netcore.fi> wrote:
> > On Fri, 11 Jul 2003, Michael Hunter wrote:
> > 
> > > On Fri, 11 Jul 2003 08:00:36 +0300 (EEST)
> > > Pekka Savola <pekkas@netcore.fi> wrote:
> > > 
> > > [...]
> > > > > The other one is: if a NIQ is send to a RFC3041 address, do you reply to
> > > > > it? My take is that by default, you should not and have a switch to
> > > > > override.
> > > > 
> > > > But I fail to see any use for this.  Typically when you implement these, I
> > > > think they'll listen to all addresses ("any incoming packet").  It seems
> > > > that disabling one set of addresses and even giving users a toggle of
> > > > rather little value would be useless.  But of course, one might have to 
> > > > implement differently too.
> > > 
> > > The association between RFC3041 addresses and other addresses is what you
> > > want to protect.  If you let a 3rd party discover that association with
> > > NIQ then you've removed the little usefulness that RFC3041 addresses have.
> > 
> > Please re-read what you write.
> > 
> 
> I'm not understanding the following so I apologize if my response isn't
> to your point.

Sorry if I was unclear..

> > What you're implying is that those you're worried about would learn your 
> > "true identity" and not RFC3041 would ones allowed to send NIQ's to you 
> > and you'd actually answer them?
> 
> So the issue I was attempting to communcate was that the association
> between your RFC3041 address(es) and your other addresses was something
> you wanted to protect.  The following two points need to be protected
> at the same level:
> 
> 1) Somebody sending a request to a non-RFC3041 address and discovering
> your RFC3041 address(es).
> 
> 2) Somebody sending a request to a RFC 3041 address and discovering your
> other addresses/name which resolves to other addresses.
> 
> If you think one is important, I believe you should think both are
> important.

True.  But now comes my actual point: you're making an assumption that all 
nodes in the Internet (basically) would answer to NIQ's from everywhere, 
and consequently there would be some information to disclose.

I don't think this is reasonable.

If you can't trust the guy whose NIQ's you're answering to enough that you 
need to obfuscate the association between RFC3041 and non-RFC3041 
addresses, you shouldn't be answering those NIQ's at all.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to majordomo@sunroof.eng.sun.com
--------------------------------------------------------------------