On 7/14/12, valdis.kletnieks@vt.edu <valdis.kletnieks@vt.edu> wrote: [snip]
The fact that your prefix is a Secret Sauce that isn't known to the rest of the world won't matter much to an attacker. One 'ifconfig' on whatever beachhead machine the attacker has inside your net, and it's not Secret Sauce anymore, it's just another bottle of Thousand Island dressing...
The good news is one 'ifconfig' just tells them what network address you're in. Unless the attacker can gain access to your host's NDP table or ARP table, they can't see what IPs are in use. You're Global or whatever /64 has ~18446744073709551615 possible IP addresses. If you want your addressing assignments to be "obscure", generate a random interface ID, and use that to assign your IPv6 addresses within your public /64, or just use stateless autoconfig. -- -JH