On Mon, 05 Oct 2009 16:13:37 CDT, Dan White said:
a publicly routeable stateless auto configured address is no less secure than a publicly routeable address assigned by DHCP. Security is, and should be, handled by other means.
The problem is user tracking and privacy. RFC4941's problem statement: Addresses generated using stateless address autoconfiguration [ADDRCONF] contain an embedded interface identifier, which remains constant over time. Anytime a fixed identifier is used in multiple contexts, it becomes possible to correlate seemingly unrelated activity using this identifier. The correlation can be performed by o An attacker who is in the path between the node in question and the peer(s) to which it is communicating, and who can view the IPv6 addresses present in the datagrams. o An attacker who can access the communication logs of the peers with which the node has communicated. Since the identifier is embedded within the IPv6 address, which is a fundamental requirement of communication, it cannot be easily hidden. This document proposes a solution to this issue by generating interface identifiers that vary over time. Note that an attacker, who is on path, may be able to perform significant correlation based on o The payload contents of the packets on the wire o The characteristics of the packets such as packet size and timing Use of temporary addresses will not prevent such payload-based correlation. (end quote) Or phrased differently - if I DCHP my laptop in a Starbuck's, on Comcast, at work, at a hotel, and a few other places, you'll get a whole raft of answers which will be very hard to cross-corrolate. But if all those places did IPv6 autoconfig, the correlation would be easy, because my address would always end in 215:c5ff:fec8:334e - and no other users should have those last 64 bits. Amazingly enough, some people think making it too easy to Big-Brother you is a security issue...