On Tue, May 17, 2011 at 9:37 PM, <Valdis.Kletnieks@vt.edu> wrote:
Unless you end up behind a fascist firewall that actually checks that the EUI-64 half of the SLAAC address actually matches your MAC address - but we all know that firewalls are weak at IPv6 support, so probably nobody's actually doing that checking. :)
Nevermind you can change your MAC address easily on most networks, since most don't provide any reasonable way of verifying that L2 packets are from where they claim to be. FWIW, Windows Vista and 7 default to using privacy addresses with SLAAC. Even without that, today, in the IPv4 NAT world, it's pretty much possible to uniquely identify a user nearly almost all of the time anyhow - at least for web access. This is thanks to browser fingerprinting - see https://panopticlick.eff.org/browser-uniqueness.pdf There's a lot of FUD about IPv6. Yes, the addresses are longer. But which is easier - remembering all the intermediate layers of network translation (likely two boxes for nearly every residential and small business user) or an IPv6 address that is the same, regardless of whether you are another customer on the same ISP, a public internet user, or an internal corporate user? Nevermind what it is like to debug IPSEC/PPTP/L2TP, SIP, or P2P protocols with just one NAT involved. Imagine doing that with two NAT devices (CGN + home NAT). If you haven't had that unfortunate pleasure, than I envy you! There's also no reason we should have to remember our IPv6 addresses. Seriously. There are about 50 protocols to name things on networks, many of which are scope aware. Among other things, it's why we don't typically have to remember MAC addresses - ARP works and it works well. Just because bad design forced us to remember IPv4 addresses doesn't mean our IPv6 networks should carry over that brokenness. IPv6 is also already in widespread use (I would guess all 500 of the Fortune 500 have it somewhere on their network, albeit quite likely not intentionally). I use it almost daily for my Apple MobileMe account (albeit typically tunneled over IPv4, all behind-the-scenes). I also use it when I stream music around my house (Bonjour will utilize IPv6, AirTunes typically uses it). Windows admins might be using it too (DirectAccess; MS Remote Assistance if firewalls block connectivity then Windows will set up a direct IPv6 link, tunneling through your firewalls and NAT...). And Grandma very well may be using it today (Windows "Home Groups" use IPv6). I would guess half of the family members of NANOG list subscribers are using IPv6 on a daily basis - TODAY. The danger is in ignoring what is already on your networks. Sure, you can't get to most websites via IPv6. But it's being used for plenty of useful work today, although mostly as a way around firewalls and as isolated islands (not connected to the global IPv6 network).