On 05/20/2013 04:08 PM, Brian E Carpenter wrote:
Publication of EUI-48 or EUI-64 addresses in the global DNS may
result in privacy issues in the form of unique trackable identities.
This might also result in such MAC addresses being spoofed, thereby allowing
some sort of direct attack. So it isn't just a privacy concern.
...
These potential concerns can be mitigated through restricting access
to zones containing EUI48 or EUI64 RRs or storing such information
under a domain name whose construction requires that the querier
already know some other permanent identifier.
This "can be" seems too weak. Shouldn't we have a MUST here? Also, I doubt
that the second option (a shared secret) is sufficient.
And yet, multifaced DNS is also a bad idea, and probably not the sort of
thing that IETF should encourage with a MUST.
Publishing EUI-XX addresses in the DNS is a bad idea.
I get the impression that we're bending over backwards to try to create
new security risks with this document, and people are trying to justify
it by citing freedom to innovate. IMO, that's not the kind of
"innovation" that IETF should be endorsing.
Keith