[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed Resolution of Issues [1-37]
At 09:33 2/09/2005 +0100, Tim Chown wrote:
Issue 24 - so what text will you use?
In the background Elwyn worked with us on this aspect. The
text to replace Ch4.4 is below. We feel that text looks more balanced
This replacement text will be in the NAP-02 draft.
4.4. Privacy and Topology Hiding
Partial host privacy is achieved in IPv6 using pseudo-random
addresses [RFC 3041] which are generated as required, so
session can use an address that is valid only for a limited
Exactly as with IPv4 NAT, this only allows such a session to
traced back to the subnet that originates it, but not
the actual host.
Due to the large IPv6 address space available there is
freedom to randomize subnet allocations. By doing
this, it is
possible to reduce the correlation between a subnet and its
When doing both subnet and IID randomization [RFC 3041] a
snooper won't be able to deduce much about the networks
The obtaining of a single address will tell the snooper very
about other addresses. This is different from IPv4
space limitations cause this to be not true. In most
this concept should be sufficient for address privacy and
In the case where a network administrator wishes to fully
internal IPv6 topology, and the majority of its host
addresses, a possible option is to run all internal traffic
Unique Local Addresses (ULA) since such packets can by
never exit the site. For hosts that do in fact need to
external traffic, by using multiple IPv6 addresses (ULAs and
more global addresses), it will be possible to hide and mask
all of the internal network. As discussed in Section
3.1, there are
multiple parts to the IPv6 address, and different techniques
manage privacy for each.
There are two possible scenarios for the extreme situation
network manager also wishes to fully conceal the internal
o One could use explicit host routes and remove the
between location and IPv6 address.
This solution does however
show severe scalability issues.
o The other technology to fully hide the internal
topology would be
to use a tunneling mechanism. Mobile
IPv6 without route
optimization is one example. In this
example the public facing
addresses are indirected via an edge Home
Agent (HA). This
indirection method truly masks the
internal topology as all nodes
with global access appear to share a
common subnet. The downside
of using this method is that it makes
usage of middleware like a
Home Agent (HA).