On Jul 29, 2017, at 7:17 PM, Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote:
The IETF network is always going to have enough IPv4 addresses for every user. Hence, it is _never_ going to be better for IETF users to use an IPv6-only network, because the main feature of IPv6 is end-to-end, and if you are still v4-privileged, you have end-to-end with v4, unlike the rest of the world. So if that's the value proposition required to make v6-only the default, v6-only is not going to be the default until it becomes difficult to get clean v4 peering at IETF meetings. That is, not anytime soon. It looks like OpenVPN finally supported dual-stack servers with stack-agnostic clients roaming to v6-only networks as of 2.4/3.0. OpenSSH shouldn't store IP addresses in known_hosts files because in the real world, 192.168.1.1 refers to a different host depending on what network I'm connected to. So I wind up having to go in and delete these addresses from my known_hosts file on a regular basis. It makes some sense to say that server.example.org should have a stable ssh key; it makes very little sense to say that some random IP address should have a stable key. Best case, if the thing you're connecting to uses privacy addresses, you're going to have a key file with a _ton_ of stale keys; worse case, you're going to be in the habit of editing your known_hosts file to delete bogus keys when IP addresses get reused by different hosts. I am probably more likely to encounter this than you because I build and test router firmware on a regular basis, but the principle is true in general. If you think DNSSEC is a good idea, why aren't you getting your host key from DNSSEC? |