On Thursday, November 23, 2006 Stig Venaas wrote:
Per Fred's request, please let v6ops and/or authors know if you have
any thoughts regarding this draft. In particular there is the following
section:
4.2. DHCP Service Configuration Options
The administrator should configure DHCPv6 so that the first
addresses
allocated from the pool begins much higher in the address space than
at [prefix]::1. DHCPv6 also includes an option to use Privacy
Extension [2] addresses, i.e. temporary addresses, as described in
Section 12 of the DHCPv6 [5] specification. It is desirable that
allocated addresses are not sequential, nor have any predictable
pattern to them.
I am not sure that I like the idea that we are suggesting that the DCHPv6 start higher than 1 for 2 reasons: 1. It reduces the number of addresses available, by 1 less than the starting number chosen by the administrator. Yes I know that there are many more numbers available, but I am hesitant to start recommending that they be arbitrarily reduced for a dubious security consideration (see reason #2).
2. By stating that it is desirable, but not mandatory that the numbers from the address pool of numbers are not allocated sequentially, you leave the possibility that people choosing the easy coding methodology will still allow it to be sequential. So, by choosing a number higher than 1 you have only reduced the security implications by a few seconds as the scan will eventually reach the first entry and then be able to scan the network.