On 05/10/09 16:43 -0400, Ricky Beam wrote:
[here we go again]
On Mon, 05 Oct 2009 14:37:49 -0400, William Herrin <herrin-nanog@dirtside.com> wrote:
Some clever guy figured out that ... why not add an extra 64 bits for that very convenient improvement? This is called "stateless autoconfiguration."
Except that "clever guy" was in fact an idiot blinded by idealism. Not only did he fail to see the security implications of having a fixed address, but he'd apparently spent his entire life under a rock, on an
a publicly routeable stateless auto configured address is no less secure than a publicly routeable address assigned by DHCP. Security is, and should be, handled by other means.
island, on another planet... he completely ignored the fact that people were using DHCP [formerly known as BOOTP] (and have been now for over a decade) to provide machines with FAR MORE than just an address. A
That's what stateless DHCP does.
Some even more clever guy figured out that if the first clever guy's strategy is used, it becomes a trivial matter to track someone online... ... stateless autoconfiguration will probably end up being a waste.
It's ALWAYS been a waste. All these supposed "clever guys" failed to learn from the mistakes that preceded them and have doomed us to repeat them... ICMP router discovery (technology abandoned so long ago, I'd forgotten about it), RARP, bootp, dhcp. SLAAC loops us back around to the beginning. Only this time, it's inescapable: I still have to have something on the network spewing RAs for the sole purpose of telling everything to use DHCP instead; there's a hard "class" boundary smack in the middle of a "classless network" because these "clever guys" were lazy and didn't want to figure out ways to avoid address collisions.
I don't understand. You're saying you have overlapping class boundaries in your network?
(something modern IPv6 stacks do by default for privacy -- randomly generated addresses have to be tested for uniqueness.)
-- Dan White BTC Broadband