Hi Phil,
Hallam-Baker, Phillip wrote:
I am pretty sure the EUI-64 requirement has been dropped. If not I can't see how the real world security practitioners are going to implement it.
Stateless autoconf does not automatically imply EUI-64. There are other
stateless autoconf methods that do not use bare EUI-64s. See below.
The EUI-64 address reveals the hardware manufacturer and model of hardware that I am using. There are no circumstances in which I am going to allow an attacker to obtain that information without putting them to as much effort as I can.
You can use a modified 64 bit identifier for privacy. These identifiers
run a crypto hash over the EUI-64 and keep changing it periodically.
Thus you can hide your hardware identity both over time and at a
specific instance of time.
http://tools.ietf.org/html/draft-ietf-ipv6-privacy-addrs-v2-05
(Soon to be RFC4941)
Other mechanisms such as CGA, HBA (more to come ?) also work with 64 bit
boundaries even if they are not EUI-64 based.
Cheers
Suresh
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf