| < draft-ietf-ipv6-privacy-addrs-v2-04.txt | draft-ietf-ipv6-privacy-addrs-v2-05.txt > | |||
|---|---|---|---|---|
| IPv6 Working Group T. Narten | IPv6 Working Group T. Narten | |||
| Internet-Draft IBM Corporation | Internet-Draft IBM Corporation | |||
| Expires: November 25, 2005 R. Draves | Obsoletes: 3041 (if approved) R. Draves | |||
| Microsoft Research | Expires: February 2, 2007 Microsoft Research | |||
| S. Krishnan | S. Krishnan | |||
| Ericsson Research | Ericsson Research | |||
| May 24, 2005 | August 2006 | |||
| Privacy Extensions for Stateless Address Autoconfiguration in IPv6 | Privacy Extensions for Stateless Address Autoconfiguration in IPv6 | |||
| draft-ietf-ipv6-privacy-addrs-v2-04 | draft-ietf-ipv6-privacy-addrs-v2-05 | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on November 25, 2005. | This Internet-Draft will expire on February 2, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| Nodes use IPv6 stateless address autoconfiguration to generate | Nodes use IPv6 stateless address autoconfiguration to generate | |||
| addresses using a combination of locally available information and | addresses using a combination of locally available information and | |||
| information advertised by routers. Addresses are formed by combining | information advertised by routers. Addresses are formed by combining | |||
| network prefixes with an interface identifier. On interfaces that | network prefixes with an interface identifier. On interfaces that | |||
| contain embedded IEEE Identifiers, the interface identifier is | contain embedded IEEE Identifiers, the interface identifier is | |||
| typically derived from it. On other interface types, the interface | typically derived from it. On other interface types, the interface | |||
| identifier is generated through other means, for example, via random | identifier is generated through other means, for example, via random | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| identifiers that change over time, even in cases where the interface | identifiers that change over time, even in cases where the interface | |||
| contains an embedded IEEE identifier. Changing the interface | contains an embedded IEEE identifier. Changing the interface | |||
| identifier (and the global scope addresses generated from it) over | identifier (and the global scope addresses generated from it) over | |||
| time makes it more difficult for eavesdroppers and other information | time makes it more difficult for eavesdroppers and other information | |||
| collectors to identify when different addresses used in different | collectors to identify when different addresses used in different | |||
| transactions actually correspond to the same node. | transactions actually correspond to the same node. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1 Conventions used in this document . . . . . . . . . . . . 4 | 1.1. Conventions used in this document . . . . . . . . . . . . 4 | |||
| 1.2 Problem Statement . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Problem Statement . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1 Extended Use of the Same Identifier . . . . . . . . . . . 5 | 2.1. Extended Use of the Same Identifier . . . . . . . . . . . 5 | |||
| 2.2 Address Usage in IPv4 Today . . . . . . . . . . . . . . . 6 | 2.2. Address Usage in IPv4 Today . . . . . . . . . . . . . . . 6 | |||
| 2.3 The Concern With IPv6 Addresses . . . . . . . . . . . . . 7 | 2.3. The Concern With IPv6 Addresses . . . . . . . . . . . . . 7 | |||
| 2.4 Possible Approaches . . . . . . . . . . . . . . . . . . . 8 | 2.4. Possible Approaches . . . . . . . . . . . . . . . . . . . 8 | |||
| 3. Protocol Description . . . . . . . . . . . . . . . . . . . . . 10 | 3. Protocol Description . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2 Generation Of Randomized Interface Identifiers . . . . . . 12 | 3.2. Generation Of Randomized Interface Identifiers . . . . . . 12 | |||
| 3.2.1 When Stable Storage Is Present . . . . . . . . . . . . 12 | 3.2.1. When Stable Storage Is Present . . . . . . . . . . . . 12 | |||
| 3.2.2 In The Absence of Stable Storage . . . . . . . . . . . 13 | 3.2.2. In The Absence of Stable Storage . . . . . . . . . . . 13 | |||
| 3.2.3 Alternate approaches . . . . . . . . . . . . . . . . . 14 | 3.2.3. Alternate approaches . . . . . . . . . . . . . . . . . 14 | |||
| 3.3 Generating Temporary Addresses . . . . . . . . . . . . . . 14 | 3.3. Generating Temporary Addresses . . . . . . . . . . . . . . 14 | |||
| 3.4 Expiration of Temporary Addresses . . . . . . . . . . . . 15 | 3.4. Expiration of Temporary Addresses . . . . . . . . . . . . 15 | |||
| 3.5 Regeneration of Randomized Interface Identifiers . . . . . 16 | 3.5. Regeneration of Randomized Interface Identifiers . . . . . 16 | |||
| 3.6 Deployment Considerations . . . . . . . . . . . . . . . . 17 | 3.6. Deployment Considerations . . . . . . . . . . . . . . . . 17 | |||
| 4. Implications of Changing Interface Identifiers . . . . . . . . 19 | 4. Implications of Changing Interface Identifiers . . . . . . . . 19 | |||
| 5. Defined Constants . . . . . . . . . . . . . . . . . . . . . . 20 | 5. Defined Constants . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 21 | 6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 7. Significant Changes from RFC 3041 . . . . . . . . . . . . . . 22 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 22 | |||
| 8. Changes from version 00 . . . . . . . . . . . . . . . . . . . 23 | 8. Significant Changes from RFC 3041 . . . . . . . . . . . . . . 23 | |||
| 9. Changes from version 01 . . . . . . . . . . . . . . . . . . . 24 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 10. Changes from version 02 . . . . . . . . . . . . . . . . . . 25 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| 11. Changes from version 03 . . . . . . . . . . . . . . . . . . 26 | 10.1. Normative References . . . . . . . . . . . . . . . . . . . 25 | |||
| 12. Security Considerations . . . . . . . . . . . . . . . . . . 27 | 10.2. Informative References . . . . . . . . . . . . . . . . . . 25 | |||
| 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 | |||
| 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 | Intellectual Property and Copyright Statements . . . . . . . . . . 28 | |||
| 14.1 Normative References . . . . . . . . . . . . . . . . . . . 29 | ||||
| 14.2 Informative References . . . . . . . . . . . . . . . . . . 29 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 30 | ||||
| Intellectual Property and Copyright Statements . . . . . . . . 32 | ||||
| 1. Introduction | 1. Introduction | |||
| Stateless address autoconfiguration [ADDRCONF] defines how an IPv6 | Stateless address autoconfiguration [ADDRCONF] defines how an IPv6 | |||
| node generates addresses without the need for a DHCPv6 server. Some | node generates addresses without the need for a DHCPv6 server. Some | |||
| types of network interfaces come with an embedded IEEE Identifier | types of network interfaces come with an embedded IEEE Identifier | |||
| (i.e., a link-layer MAC address), and in those cases stateless | (i.e., a link-layer MAC address), and in those cases stateless | |||
| address autoconfiguration uses the IEEE identifier to generate a 64- | address autoconfiguration uses the IEEE identifier to generate a 64- | |||
| bit interface identifier [ADDRARCH]. By design, the interface | bit interface identifier [ADDRARCH]. By design, the interface | |||
| identifier is likely to be globally unique when generated in this | identifier is likely to be globally unique when generated in this | |||
| skipping to change at page 4, line 5 ¶ | skipping to change at page 4, line 5 ¶ | |||
| help mitigate those concerns for individual users and in environments | help mitigate those concerns for individual users and in environments | |||
| where such concerns are significant. Section 2 provides background | where such concerns are significant. Section 2 provides background | |||
| information on the issue. Section 3 describes a procedure for | information on the issue. Section 3 describes a procedure for | |||
| generating alternate interface identifiers and global scope | generating alternate interface identifiers and global scope | |||
| addresses. Section 4 discusses implications of changing interface | addresses. Section 4 discusses implications of changing interface | |||
| identifiers. The term "global scope addresses" is used in this | identifiers. The term "global scope addresses" is used in this | |||
| document to collectively refer to "Global unicast addresses" as | document to collectively refer to "Global unicast addresses" as | |||
| defined in [ADDRARCH] and "Unique local addresses" as defined in | defined in [ADDRARCH] and "Unique local addresses" as defined in | |||
| [ULA] | [ULA] | |||
| 1.1 Conventions used in this document | 1.1. Conventions used in this document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 1.2 Problem Statement | 1.2. Problem Statement | |||
| Addresses generated using Stateless address autoconfiguration | Addresses generated using Stateless address autoconfiguration | |||
| [ADDRCONF]contain an embedded interface identifier, which remains | [ADDRCONF]contain an embedded interface identifier, which remains | |||
| constant over time. Anytime a fixed identifier is used in multiple | constant over time. Anytime a fixed identifier is used in multiple | |||
| contexts, it becomes possible to correlate seemingly unrelated | contexts, it becomes possible to correlate seemingly unrelated | |||
| activity using this identifier. | activity using this identifier. | |||
| The correlation can be performed by | The correlation can be performed by | |||
| o An attacker who is in the path between the node in question and | o An attacker who is in the path between the node in question and | |||
| skipping to change at page 5, line 11 ¶ | skipping to change at page 5, line 11 ¶ | |||
| Use of temporary addresses will not prevent such payload based | Use of temporary addresses will not prevent such payload based | |||
| correlation. | correlation. | |||
| 2. Background | 2. Background | |||
| This section discusses the problem in more detail, provides context | This section discusses the problem in more detail, provides context | |||
| for evaluating the significance of the concerns in specific | for evaluating the significance of the concerns in specific | |||
| environments and makes comparisons with existing practices. | environments and makes comparisons with existing practices. | |||
| 2.1 Extended Use of the Same Identifier | 2.1. Extended Use of the Same Identifier | |||
| The use of a non-changing interface identifier to form addresses is a | The use of a non-changing interface identifier to form addresses is a | |||
| specific instance of the more general case where a constant | specific instance of the more general case where a constant | |||
| identifier is reused over an extended period of time and in multiple | identifier is reused over an extended period of time and in multiple | |||
| independent activities. Anytime the same identifier is used in | independent activities. Anytime the same identifier is used in | |||
| multiple contexts, it becomes possible for that identifier to be used | multiple contexts, it becomes possible for that identifier to be used | |||
| to correlate seemingly unrelated activity. For example, a network | to correlate seemingly unrelated activity. For example, a network | |||
| sniffer placed strategically on a link across which all traffic to/ | sniffer placed strategically on a link across which all traffic to/ | |||
| from a particular host crosses could keep track of which destinations | from a particular host crosses could keep track of which destinations | |||
| a node communicated with and at what times. Such information can in | a node communicated with and at what times. Such information can in | |||
| skipping to change at page 6, line 18 ¶ | skipping to change at page 6, line 18 ¶ | |||
| The use of a constant identifier within an address is of special | The use of a constant identifier within an address is of special | |||
| concern because addresses are a fundamental requirement of | concern because addresses are a fundamental requirement of | |||
| communication and cannot easily be hidden from eavesdroppers and | communication and cannot easily be hidden from eavesdroppers and | |||
| other parties. Even when higher layers encrypt their payloads, | other parties. Even when higher layers encrypt their payloads, | |||
| addresses in packet headers appear in the clear. Consequently, if a | addresses in packet headers appear in the clear. Consequently, if a | |||
| mobile host (e.g., laptop) accessed the network from several | mobile host (e.g., laptop) accessed the network from several | |||
| different locations, an eavesdropper might be able to track the | different locations, an eavesdropper might be able to track the | |||
| movement of that mobile host from place to place, even if the upper | movement of that mobile host from place to place, even if the upper | |||
| layer payloads were encrypted. | layer payloads were encrypted. | |||
| 2.2 Address Usage in IPv4 Today | 2.2. Address Usage in IPv4 Today | |||
| Addresses used in today's Internet are often non-changing in practice | Addresses used in today's Internet are often non-changing in practice | |||
| for extended periods of time. In an increasing number of sites, | for extended periods of time. In an increasing number of sites, | |||
| addresses are assigned statically and typically change infrequently. | addresses are assigned statically and typically change infrequently. | |||
| Over the last few years, sites have begun moving away from static | Over the last few years, sites have begun moving away from static | |||
| allocation to dynamic allocation via DHCP [DHCP]. In theory, the | allocation to dynamic allocation via DHCP [DHCP]. In theory, the | |||
| address a client gets via DHCP can change over time, but in practice | address a client gets via DHCP can change over time, but in practice | |||
| servers often return the same address to the same client (unless | servers often return the same address to the same client (unless | |||
| addresses are in such short supply that they are reused immediately | addresses are in such short supply that they are reused immediately | |||
| by a different node when they become free). Thus, even within sites | by a different node when they become free). Thus, even within sites | |||
| skipping to change at page 7, line 12 ¶ | skipping to change at page 7, line 12 ¶ | |||
| used to update the DNS dynamically, it may not always be available | used to update the DNS dynamically, it may not always be available | |||
| depending on the administrative policy. In addition, changing an | depending on the administrative policy. In addition, changing an | |||
| address but keeping the same DNS name does not really address the | address but keeping the same DNS name does not really address the | |||
| underlying concern, since the DNS name becomes a non-changing | underlying concern, since the DNS name becomes a non-changing | |||
| identifier. Servers generally require a DNS name (so clients can | identifier. Servers generally require a DNS name (so clients can | |||
| connect to them), and clients often do as well (e.g., some servers | connect to them), and clients often do as well (e.g., some servers | |||
| refuse to speak to a client whose address cannot be mapped into a DNS | refuse to speak to a client whose address cannot be mapped into a DNS | |||
| name that also maps back into the same address). Section 4 describes | name that also maps back into the same address). Section 4 describes | |||
| one approach to this issue. | one approach to this issue. | |||
| 2.3 The Concern With IPv6 Addresses | 2.3. The Concern With IPv6 Addresses | |||
| The division of IPv6 addresses into distinct topology and interface | The division of IPv6 addresses into distinct topology and interface | |||
| identifier portions raises an issue new to IPv6 in that a fixed | identifier portions raises an issue new to IPv6 in that a fixed | |||
| portion of an IPv6 address (i.e., the interface identifier) can | portion of an IPv6 address (i.e., the interface identifier) can | |||
| contain an identifier that remains constant even when the topology | contain an identifier that remains constant even when the topology | |||
| portion of an address changes (e.g., as the result of connecting to a | portion of an address changes (e.g., as the result of connecting to a | |||
| different part of the Internet). In IPv4, when an address changes, | different part of the Internet). In IPv4, when an address changes, | |||
| the entire address (including the local part of the address) usually | the entire address (including the local part of the address) usually | |||
| changes. It is this new issue that this document addresses. | changes. It is this new issue that this document addresses. | |||
| skipping to change at page 8, line 12 ¶ | skipping to change at page 8, line 12 ¶ | |||
| an address could be used to track activities of an individual, even | an address could be used to track activities of an individual, even | |||
| as they move topologically within the internet. | as they move topologically within the internet. | |||
| In summary, IPv6 addresses on a given interface generated via | In summary, IPv6 addresses on a given interface generated via | |||
| Stateless Autoconfiguration contain the same interface identifier, | Stateless Autoconfiguration contain the same interface identifier, | |||
| regardless of where within the Internet the device connects. This | regardless of where within the Internet the device connects. This | |||
| facilitates the tracking of individual devices (and thus potentially | facilitates the tracking of individual devices (and thus potentially | |||
| users). The purpose of this document is to define mechanisms that | users). The purpose of this document is to define mechanisms that | |||
| eliminate this issue, in those situations where it is a concern. | eliminate this issue, in those situations where it is a concern. | |||
| 2.4 Possible Approaches | 2.4. Possible Approaches | |||
| One way to avoid having a static non-changing address is to use | One way to avoid having a static non-changing address is to use | |||
| DHCPv6 [DHCPV6] for obtaining addresses. The DHCPv6 server could be | DHCPv6[DHCPV6] for obtaining addresses. Section 12 of [DHCPV6] | |||
| configured to hand out addresses that change over time. But DHCPv6 | discusses the use of DHCPv6 for the assignment and management of | |||
| will solve the privacy issue only if it frequently handed out | "temporary addresses", which are never renewed and provide the same | |||
| constantly changing addresses to the nodes or if the DHCPv6 client | property of temporary addresses described in this document with | |||
| moves from links to links frequently, being allocated independent | regards to the privacy concern. | |||
| addresses from different DHCPv6 servers. However, the former does | ||||
| not happen automatically, and is difficult to configure manually; the | ||||
| latter cannot be assumed for static (not frequently moving) hosts. | ||||
| Thus, DHCPv6 is not a self contained alternative for solving the | ||||
| privacy issues addressed by this document. However, in the absence | ||||
| of stateless address autoconfiguration, DHCPv6 can be used for | ||||
| distributing temporary addresses to clients. | ||||
| Another approach, compatible with the stateless address | Another approach, compatible with the stateless address | |||
| autoconfiguration architecture, would be to change the interface | autoconfiguration architecture, would be to change the interface | |||
| identifier portion of an address over time and generate new addresses | identifier portion of an address over time and generate new addresses | |||
| from the interface identifier for some address scopes. Changing the | from the interface identifier for some address scopes. Changing the | |||
| interface identifier can make it more difficult to look at the IP | interface identifier can make it more difficult to look at the IP | |||
| addresses in independent transactions and identify which ones | addresses in independent transactions and identify which ones | |||
| actually correspond to the same node, both in the case where the | actually correspond to the same node, both in the case where the | |||
| routing prefix portion of an address changes and when it does not. | routing prefix portion of an address changes and when it does not. | |||
| skipping to change at page 10, line 49 ¶ | skipping to change at page 10, line 49 ¶ | |||
| multicast groups may be required to put its interface into | multicast groups may be required to put its interface into | |||
| promiscuous mode, resulting in possible reduced performance. | promiscuous mode, resulting in possible reduced performance. | |||
| A node highly concerned about privacy MAY use different interface | A node highly concerned about privacy MAY use different interface | |||
| identifiers on different prefixes, resulting in a set of global | identifiers on different prefixes, resulting in a set of global | |||
| addresses that cannot be easily tied to each other. For example | addresses that cannot be easily tied to each other. For example | |||
| a node MAY create different interface identifiers I1,I2, and I3 | a node MAY create different interface identifiers I1,I2, and I3 | |||
| for use with different prefixes P1,P2, and P3 on the same | for use with different prefixes P1,P2, and P3 on the same | |||
| interface. | interface. | |||
| 3.1 Assumptions | 3.1. Assumptions | |||
| The following algorithm assumes that each interface maintains an | The following algorithm assumes that each interface maintains an | |||
| associated randomized interface identifier. When temporary addresses | associated randomized interface identifier. When temporary addresses | |||
| are generated, the current value of the associated randomized | are generated, the current value of the associated randomized | |||
| interface identifier is used. While the same identifier can be used | interface identifier is used. While the same identifier can be used | |||
| to create more than one temporary address, the value SHOULD change | to create more than one temporary address, the value SHOULD change | |||
| over time as described in Section 3.5. | over time as described in Section 3.5. | |||
| The algorithm also assumes that for a given temporary address, an | The algorithm also assumes that for a given temporary address, an | |||
| implementation can determine the prefix from which it was generated. | implementation can determine the prefix from which it was generated. | |||
| skipping to change at page 12, line 5 ¶ | skipping to change at page 12, line 5 ¶ | |||
| [ADDR_SELECT] mandates implementations to provide a mechanism, which | [ADDR_SELECT] mandates implementations to provide a mechanism, which | |||
| allows an application to configure its preference for temporary | allows an application to configure its preference for temporary | |||
| addresses over public addresses. It also allows for an | addresses over public addresses. It also allows for an | |||
| implementation to prefer temporary addresses by default, so that the | implementation to prefer temporary addresses by default, so that the | |||
| connections initiated by the node can use temporary addresses without | connections initiated by the node can use temporary addresses without | |||
| requiring application-specific enablement. This document also | requiring application-specific enablement. This document also | |||
| assumes that an API will exist that allows individual applications to | assumes that an API will exist that allows individual applications to | |||
| indicate whether they prefer to use temporary or public addresses and | indicate whether they prefer to use temporary or public addresses and | |||
| override the system defaults. | override the system defaults. | |||
| 3.2 Generation Of Randomized Interface Identifiers | 3.2. Generation Of Randomized Interface Identifiers | |||
| We describe two approaches for the generation and maintenance of the | We describe two approaches for the generation and maintenance of the | |||
| randomized interface identifier. The first assumes the presence of | randomized interface identifier. The first assumes the presence of | |||
| stable storage that can be used to record state history for use as | stable storage that can be used to record state history for use as | |||
| input into the next iteration of the algorithm across system | input into the next iteration of the algorithm across system | |||
| restarts. A second approach addresses the case where stable storage | restarts. A second approach addresses the case where stable storage | |||
| is unavailable and there is a need to generate randomized interface | is unavailable and there is a need to generate randomized interface | |||
| identifiers without previous state. | identifiers without previous state. | |||
| The random interface identifier generation algorithm, as described in | The random interface identifier generation algorithm, as described in | |||
| this document, uses MD5 as the hash algorithm. The node MAY use | this document, uses MD5 as the hash algorithm. The node MAY use | |||
| another algorithm instead of MD5 to produce the random interface | another algorithm instead of MD5 to produce the random interface | |||
| identifier. | identifier. | |||
| 3.2.1 When Stable Storage Is Present | 3.2.1. When Stable Storage Is Present | |||
| The following algorithm assumes the presence of a 64-bit "history | The following algorithm assumes the presence of a 64-bit "history | |||
| value" that is used as input in generating a randomized interface | value" that is used as input in generating a randomized interface | |||
| identifier. The very first time the system boots (i.e., out-of-the- | identifier. The very first time the system boots (i.e., out-of-the- | |||
| box), a random value SHOULD be generated using techniques that help | box), a random value SHOULD be generated using techniques that help | |||
| ensure the initial value is hard to guess [RANDOM]. Whenever a new | ensure the initial value is hard to guess [RANDOM]. Whenever a new | |||
| interface identifier is generated, a value generated by the | interface identifier is generated, a value generated by the | |||
| computation is saved in the history value for the next iteration of | computation is saved in the history value for the next iteration of | |||
| the algorithm. | the algorithm. | |||
| skipping to change at page 13, line 13 ¶ | skipping to change at page 13, line 13 ¶ | |||
| obtained in step 2 in place of the history value in step 1. | obtained in step 2 in place of the history value in step 1. | |||
| 5. Save the generated identifier as the associated randomized | 5. Save the generated identifier as the associated randomized | |||
| interface identifier. | interface identifier. | |||
| 6. Take the rightmost 64-bits of the MD5 digest computed in step 2) | 6. Take the rightmost 64-bits of the MD5 digest computed in step 2) | |||
| and save them in stable storage as the history value to be used | and save them in stable storage as the history value to be used | |||
| in the next iteration of the algorithm. | in the next iteration of the algorithm. | |||
| MD5 was chosen for convenience, and because its particular properties | MD5 was chosen for convenience, and because its particular properties | |||
| were adequate to produce the desired level of randomization. IPv6 | were adequate to produce the desired level of randomization.The node | |||
| nodes are already required to implement MD5 as part of IPsec [IPSEC], | MAY use another algorithm instead of MD5 to produce the random | |||
| thus the code will already be present on IPv6 machines. | interface identifier | |||
| In theory, generating successive randomized interface identifiers | In theory, generating successive randomized interface identifiers | |||
| using a history scheme as above has no advantages over generating | using a history scheme as above has no advantages over generating | |||
| them at random. In practice, however, generating truly random | them at random. In practice, however, generating truly random | |||
| numbers can be tricky. Use of a history value is intended to avoid | numbers can be tricky. Use of a history value is intended to avoid | |||
| the particular scenario where two nodes generate the same randomized | the particular scenario where two nodes generate the same randomized | |||
| interface identifier, both detect the situation via DAD, but then | interface identifier, both detect the situation via DAD, but then | |||
| proceed to generate identical randomized interface identifiers via | proceed to generate identical randomized interface identifiers via | |||
| the same (flawed) random number generation algorithm. The above | the same (flawed) random number generation algorithm. The above | |||
| algorithm avoids this problem by having the interface identifier | algorithm avoids this problem by having the interface identifier | |||
| (which will often be globally unique) used in the calculation that | (which will often be globally unique) used in the calculation that | |||
| generates subsequent randomized interface identifiers. Thus, if two | generates subsequent randomized interface identifiers. Thus, if two | |||
| nodes happen to generate the same randomized interface identifier, | nodes happen to generate the same randomized interface identifier, | |||
| they should generate different ones on the followup attempt. | they should generate different ones on the followup attempt. | |||
| 3.2.2 In The Absence of Stable Storage | 3.2.2. In The Absence of Stable Storage | |||
| In the absence of stable storage, no history value will be available | In the absence of stable storage, no history value will be available | |||
| across system restarts to generate a pseudo-random sequence of | across system restarts to generate a pseudo-random sequence of | |||
| interface identifiers. Consequently, the initial history value used | interface identifiers. Consequently, the initial history value used | |||
| above SHOULD be generated at random. A number of techniques might be | above SHOULD be generated at random. A number of techniques might be | |||
| appropriate. Consult [RANDOM] for suggestions on good sources for | appropriate. Consult [RANDOM] for suggestions on good sources for | |||
| obtaining random numbers. Note that even though machines may not | obtaining random numbers. Note that even though machines may not | |||
| have stable storage for storing a history value, they will in many | have stable storage for storing a history value, they will in many | |||
| cases have configuration information that differs from one machine to | cases have configuration information that differs from one machine to | |||
| another (e.g., user identity, security keys, serial numbers, etc.). | another (e.g., user identity, security keys, serial numbers, etc.). | |||
| One approach to generating a random initial history value in such | One approach to generating a random initial history value in such | |||
| cases is to use the configuration information to generate some data | cases is to use the configuration information to generate some data | |||
| bits (which may remain constant for the life of the machine, but will | bits (which may remain constant for the life of the machine, but will | |||
| vary from one machine to another), append some random data and | vary from one machine to another), append some random data and | |||
| compute the MD5 digest as before. | compute the MD5 digest as before. | |||
| 3.2.3 Alternate approaches | 3.2.3. Alternate approaches | |||
| Note that there are other approaches to generate random interface | Note that there are other approaches to generate random interface | |||
| identifiers, albeit with different goals and applicability. One such | identifiers, albeit with different goals and applicability. One such | |||
| approach is CGA [CGA], which generates a random interface identifier | approach is CGA [CGA], which generates a random interface identifier | |||
| based on the public key of the node. The goal of CGAs is to prove | based on the public key of the node. The goal of CGAs is to prove | |||
| ownership of an address and to prevent spoofing and stealing of | ownership of an address and to prevent spoofing and stealing of | |||
| existing IPv6 addresses. They are used for securing neighbor | existing IPv6 addresses. They are used for securing neighbor | |||
| discovery using [SEND]. The CGA random interface identifier | discovery using [SEND]. The CGA random interface identifier | |||
| generation algorithm may not be suitable for privacy addresses | generation algorithm may not be suitable for privacy addresses | |||
| because of the following properties | because of the following properties | |||
| o It requires the node to have a public key. This means that the | o It requires the node to have a public key. This means that the | |||
| node can still be identified by its public key | node can still be identified by its public key | |||
| o The random interface identifier process is computationally | o The random interface identifier process is computationally | |||
| intensive and hence discourages frequent regeneration | intensive and hence discourages frequent regeneration | |||
| 3.3 Generating Temporary Addresses | 3.3. Generating Temporary Addresses | |||
| [ADDRCONF] describes the steps for generating a link-local address | [ADDRCONF] describes the steps for generating a link-local address | |||
| when an interface becomes enabled as well as the steps for generating | when an interface becomes enabled as well as the steps for generating | |||
| addresses for other scopes. This document extends [ADDRCONF] as | addresses for other scopes. This document extends [ADDRCONF] as | |||
| follows. When processing a Router Advertisement with a Prefix | follows. When processing a Router Advertisement with a Prefix | |||
| Information option carrying a global scope prefix for the purposes of | Information option carrying a global scope prefix for the purposes of | |||
| address autoconfiguration (i.e., the A bit is set), the node MUST | address autoconfiguration (i.e., the A bit is set), the node MUST | |||
| perform the following steps: | perform the following steps: | |||
| 1. Process the Prefix Information Option as defined in [ADDRCONF], | 1. Process the Prefix Information Option as defined in [ADDRCONF], | |||
| skipping to change at page 15, line 16 ¶ | skipping to change at page 15, line 15 ¶ | |||
| 3. When a new public address is created as described in [ADDRCONF], | 3. When a new public address is created as described in [ADDRCONF], | |||
| the node SHOULD also create a new temporary address. | the node SHOULD also create a new temporary address. | |||
| 4. When creating a temporary address, the lifetime values MUST be | 4. When creating a temporary address, the lifetime values MUST be | |||
| derived from the corresponding prefix as follows: | derived from the corresponding prefix as follows: | |||
| * Its Valid Lifetime is the lower of the Valid Lifetime of the | * Its Valid Lifetime is the lower of the Valid Lifetime of the | |||
| public address or TEMP_VALID_LIFETIME | public address or TEMP_VALID_LIFETIME | |||
| * Its Preferred Lifetime is the lower of the Preferred Lifetime | * Its Preferred Lifetime is the lower of the Preferred Lifetime | |||
| of the prefix or TEMP_PREFERRED_LIFETIME - DESYNC_FACTOR. | of the public address or TEMP_PREFERRED_LIFETIME - | |||
| DESYNC_FACTOR. | ||||
| 5. A temporary address is created only if this calculated Preferred | 5. A temporary address is created only if this calculated Preferred | |||
| Lifetime is greater than REGEN_ADVANCE time units. In | Lifetime is greater than REGEN_ADVANCE time units. In | |||
| particular, an implementation MUST NOT create a temporary address | particular, an implementation MUST NOT create a temporary address | |||
| with a zero Preferred Lifetime. | with a zero Preferred Lifetime. | |||
| 6. New temporary addresses MUST be created by appending the | 6. New temporary addresses MUST be created by appending the | |||
| interface's current randomized interface identifier to the prefix | interface's current randomized interface identifier to the prefix | |||
| that was received. | that was received. | |||
| skipping to change at page 15, line 38 ¶ | skipping to change at page 15, line 38 ¶ | |||
| generated temporary address. If DAD indicates the address is | generated temporary address. If DAD indicates the address is | |||
| already in use, the node MUST generate a new randomized interface | already in use, the node MUST generate a new randomized interface | |||
| identifier as described in Section 3.2 above, and repeat the | identifier as described in Section 3.2 above, and repeat the | |||
| previous steps as appropriate up to TEMP_IDGEN_RETRIES times. If | previous steps as appropriate up to TEMP_IDGEN_RETRIES times. If | |||
| after TEMP_IDGEN_RETRIES consecutive attempts no non-unique | after TEMP_IDGEN_RETRIES consecutive attempts no non-unique | |||
| address was generated, the node MUST log a system error and MUST | address was generated, the node MUST log a system error and MUST | |||
| NOT attempt to generate temporary addresses for that interface. | NOT attempt to generate temporary addresses for that interface. | |||
| Note that DAD MUST be performed on every unicast address | Note that DAD MUST be performed on every unicast address | |||
| generated from this randomized interface identifier. | generated from this randomized interface identifier. | |||
| 3.4 Expiration of Temporary Addresses | 3.4. Expiration of Temporary Addresses | |||
| When a temporary address becomes deprecated, a new one MUST be | When a temporary address becomes deprecated, a new one MUST be | |||
| generated. This is done by repeating the actions described in | generated. This is done by repeating the actions described in | |||
| Section 3.3, starting at step 3). Note that, except for the | Section 3.3, starting at step 3). Note that, except for the | |||
| transient period when a temporary address is being regenerated, in | transient period when a temporary address is being regenerated, in | |||
| normal operation at most one temporary address per prefix should be | normal operation at most one temporary address per prefix should be | |||
| in a non-deprecated state at any given time on a given interface. | in a non-deprecated state at any given time on a given interface. | |||
| Note that if a temporary address becomes deprecated as result of | Note that if a temporary address becomes deprecated as result of | |||
| processing a Prefix Information Option with a zero Preferred | processing a Prefix Information Option with a zero Preferred | |||
| Lifetime, then a new temporary address MUST NOT be generated. To | Lifetime, then a new temporary address MUST NOT be generated. To | |||
| skipping to change at page 16, line 15 ¶ | skipping to change at page 16, line 13 ¶ | |||
| race conditions in the case where generating a new temporary address | race conditions in the case where generating a new temporary address | |||
| is not instantaneous, such as when duplicate address detection must | is not instantaneous, such as when duplicate address detection must | |||
| be run. The node SHOULD start the address regeneration process | be run. The node SHOULD start the address regeneration process | |||
| REGEN_ADVANCE time units before a temporary address would actually be | REGEN_ADVANCE time units before a temporary address would actually be | |||
| deprecated. | deprecated. | |||
| As an optional optimization, an implementation MAY remove a | As an optional optimization, an implementation MAY remove a | |||
| deprecated temporary address that is not in use by applications or | deprecated temporary address that is not in use by applications or | |||
| upper-layers as detailed in Section 6. | upper-layers as detailed in Section 6. | |||
| 3.5 Regeneration of Randomized Interface Identifiers | 3.5. Regeneration of Randomized Interface Identifiers | |||
| The frequency at which temporary addresses changes depends on how a | The frequency at which temporary addresses changes depends on how a | |||
| device is being used (e.g., how frequently it initiates new | device is being used (e.g., how frequently it initiates new | |||
| communication) and the concerns of the end user. The most egregious | communication) and the concerns of the end user. The most egregious | |||
| privacy concerns appear to involve addresses used for long periods of | privacy concerns appear to involve addresses used for long periods of | |||
| time (weeks to months to years). The more frequently an address | time (weeks to months to years). The more frequently an address | |||
| changes, the less feasible collecting or coordinating information | changes, the less feasible collecting or coordinating information | |||
| keyed on interface identifiers becomes. Moreover, the cost of | keyed on interface identifiers becomes. Moreover, the cost of | |||
| collecting information and attempting to correlate it based on | collecting information and attempting to correlate it based on | |||
| interface identifiers will only be justified if enough addresses | interface identifiers will only be justified if enough addresses | |||
| skipping to change at page 17, line 25 ¶ | skipping to change at page 17, line 23 ¶ | |||
| new set of temporary addresses. If a device moves from one ethernet | new set of temporary addresses. If a device moves from one ethernet | |||
| to another, generating a new set of temporary addresses from a | to another, generating a new set of temporary addresses from a | |||
| different randomized interface identifier ensures that the device | different randomized interface identifier ensures that the device | |||
| uses different randomized interface identifiers for the temporary | uses different randomized interface identifiers for the temporary | |||
| addresses associated with the two links, making it more difficult to | addresses associated with the two links, making it more difficult to | |||
| correlate addresses from the two different links as being from the | correlate addresses from the two different links as being from the | |||
| same node. The node MAY follow any process available to it, to | same node. The node MAY follow any process available to it, to | |||
| determine that the link change has occurred. One such process is | determine that the link change has occurred. One such process is | |||
| described by Detecting Network Attachment [DNA]. | described by Detecting Network Attachment [DNA]. | |||
| 3.6 Deployment Considerations | 3.6. Deployment Considerations | |||
| Devices implementing this specification MUST provide a way for the | Devices implementing this specification MUST provide a way for the | |||
| end user to explicitly enable or disable the use of temporary | end user to explicitly enable or disable the use of temporary | |||
| addresses. In addition, a site might wish to disable the use of | addresses. In addition, a site might wish to disable the use of | |||
| temporary addresses in order to simplify network debugging and | temporary addresses in order to simplify network debugging and | |||
| operations. Consequently, implementations SHOULD provide a way for | operations. Consequently, implementations SHOULD provide a way for | |||
| trusted system administrators to enable or disable the use of | trusted system administrators to enable or disable the use of | |||
| temporary addresses. | temporary addresses. | |||
| Additionally, sites might wish to selectively enable or disable the | Additionally, sites might wish to selectively enable or disable the | |||
| skipping to change at page 21, line 38 ¶ | skipping to change at page 22, line 5 ¶ | |||
| problem described in Section 4 when reverse DNS lookups fail may be | problem described in Section 4 when reverse DNS lookups fail may be | |||
| needed. [DNSOP] contains a more detailed discussion of the DNS | needed. [DNSOP] contains a more detailed discussion of the DNS | |||
| related issues. | related issues. | |||
| While this document discusses ways of obscuring a user's permanent IP | While this document discusses ways of obscuring a user's permanent IP | |||
| address, the method described is believed to be ineffective against | address, the method described is believed to be ineffective against | |||
| sophisticated forms of traffic analysis. To increase effectiveness, | sophisticated forms of traffic analysis. To increase effectiveness, | |||
| one may need to consider use of more advanced techniques, such as | one may need to consider use of more advanced techniques, such as | |||
| Onion Routing [ONION]. | Onion Routing [ONION]. | |||
| Open Issues | 7. Security Considerations | |||
| 1) Implementations should allow system administrators to configure | Ingress filtering has been and is being deployed as a means of | |||
| the use of temporary addresses. We've considered the possibility of | preventing the use of spoofed source addresses in Distributed Denial | |||
| using Router Advertisements to configure a host's use of temporary | of Service(DDoS) attacks. In a network with a large number of nodes, | |||
| addresses, but that has a major drawback: in some situations (for | new temporary addresses are created at a fairly high rate. This | |||
| example a home user receiving RAs from an ISP's router), the | might make it difficult for ingress filtering mechanisms to | |||
| administrator of the host and the administrator of the router may | distinguish between legitimately changing temporary addresses and | |||
| have different opinions about the use of temporary addresses. Any | spoofed source addresses, which are "in-prefix"(They use a | |||
| configuration mechanism that disables the use of temporary addresses | topologically correct prefix and non-existent interface ID). This | |||
| without input from the user MUST ensure that the host's administrator | can be addressed by using access control mechanisms on a per address | |||
| has authorized the disabling. | basis on the network egress point. | |||
| 7. Significant Changes from RFC 3041 | 8. Significant Changes from RFC 3041 | |||
| This section summarizes the changes in this document relative to RFC | This section summarizes the changes in this document relative to RFC | |||
| 3041 that an implementer of RFC 3041 should be aware of. | 3041 that an implementer of RFC 3041 should be aware of. | |||
| 1. Added wording to exclude certain interface identifiers from the | 1. Excluded certain interface identifiers from the range of | |||
| range of acceptable interface identifiers. Interface IDs such | acceptable interface identifiers. Interface IDs such as those | |||
| as 0, those for reserved anycast addresses [RFC2526], etc. | for reserved anycast addresses [RFC], etc. | |||
| 2. Added a configuration knob that provides the end user with a way | ||||
| to enable or disable the use of temporary addresses. | ||||
| 3. Under RFC 3041, RAs with short lifetimes (e.g., 1 hour) that | ||||
| always send the same lifetime for long periods of time (e.g., | ||||
| days to weeks) resulted in temporary addresses being created | ||||
| with lifetimes of only 1 hour. Additional rules were added to | ||||
| increase the Lifetime of temporary addresses when the advertised | ||||
| lifetimes were short. | ||||
| 4. DAD is now run on all temporary addresses, not just the first | ||||
| one generated from an interface identifier. | ||||
| 5. Changed the default setting for usage of temporary addresses to | ||||
| be disabled. | ||||
| 6. Added a security considerations section to highlight the ingress | ||||
| filtering issues which can be caused by the use of temporary | ||||
| addresses as described in this document | ||||
| 7. Removed references to site-local addresses | ||||
| 8. Added a check for denial of service attacks using low valid | ||||
| lifetimes in router advertisements | ||||
| 9. Changed the document to use RFC2119 language | ||||
| 10. The node is now allowed to generate different interface | ||||
| identifiers for different prefixes, if it so desires. | ||||
| 8. Changes from version 00 | ||||
| This section summarizes the changes from version 00 of this draft | ||||
| 1. The algorithm used for generating random interface identifiers | ||||
| is no longer restricted to just MD5 | ||||
| 2. Added a problem statement | ||||
| 3. Classified the references into normative and informative | ||||
| 4. Reduced default number of retries to 3 from 5 and added a | ||||
| configuration variable | ||||
| 5. Removed text about RA processing which is duplicated from | ||||
| [ADDRCONF] | ||||
| 6. Added text about the privacy implications of a non-changing | ||||
| prefix | ||||
| 7. Added a per-prefix enable/disable setting | ||||
| 8. Added text about the means of correlation | ||||
| 9. Clarified text about DHCPv6 | ||||
| 10. Added reference to dnsop issues draft | ||||
| 9. Changes from version 01 | ||||
| This section summarizes the changes from version 01 of this draft | ||||
| 1. Clarifiying the length of interface identifier | ||||
| 2. Added a per-prefix enable/disable knob as a SHOULD to retain | ||||
| backward compatibility | ||||
| 3. Removed normative reference to ISATAP to avoid downref problem | ||||
| 4. Added text for per-prefix knobs to be applied at any granularity | ||||
| 5. Moved RFC2526 to informative reference | ||||
| 10. Changes from version 02 | ||||
| This section summarizes the changes from version 02 of this draft | ||||
| 1. Explained briefly the concern that is being addressed in the | ||||
| introduction | ||||
| 2. Removed reference to 64 bit identifiers in the ADDRCONF context | ||||
| 3. Added clarifying text for the usage of DHCPv6 as an alternate | ||||
| approach | ||||
| 4. Moved RFC3484 to informative reference | ||||
| 5. Updated references for SEND, and CGA as they became RFCs | ||||
| 6. Updated draft versions for ULA, DNSOP issues, 2461bis, 2462bis | 2. Added a configuration knob that provides the end user with a way | |||
| and DNA goals | to enable or disable the use of temporary addresses on a per- | |||
| prefix basis. | ||||
| 11. Changes from version 03 | 3. Added a check for denial of service attacks using low valid | |||
| lifetimes in router advertisements | ||||
| This section summarizes the changes from version 03 of this draft | 4. DAD is now run on all temporary addresses, not just the first one | |||
| generated from an interface identifier. | ||||
| 1. Added additional clarifying text regarding regeneration of | 5. Changed the default setting for usage of temporary addresses to | |||
| identifiers as proposed in the AD(Margaret Wasserman) review | be disabled. | |||
| comments. | ||||
| 2. Clarified confusing text which seemed to imply that the randomnly | 6. The node is now allowed to generate different interface | |||
| generated identigiers could only be used with global scope | identifiers for different prefixes, if it so desires. | |||
| addresses. | ||||
| 3. Switched to the new IPR boilerplate | 7. The algorithm used for generating random interface identifiers is | |||
| no longer restricted to just MD5 | ||||
| 12. Security Considerations | 8. Reduced default number of retries to from and added a | |||
| configuration variable | ||||
| Ingress filtering has been and is being deployed as a means of | 9. RA processing algorithm is no longer included in the document, | |||
| preventing the use of spoofed source addresses in Distributed Denial | and is replaced by a reference to [ADDRCONF]. | |||
| of Service(DDoS) attacks. In a network with a large number of nodes, | ||||
| new temporary addresses are created at a fairly high rate. This | ||||
| might make it difficult for ingress filtering mechanisms to | ||||
| distinguish between legitimately changing temporary addresses and | ||||
| spoofed source addresses, which are "in-prefix"(They use a | ||||
| topologically correct prefix and non-existent interface ID). This | ||||
| can be addressed by using access control mechanisms on a per address | ||||
| basis on the network egress point. | ||||
| 13. Acknowledgements | 9. Acknowledgements | |||
| The authors would like to acknowledge the contributions of the ipv6 | The authors would like to acknowledge the contributions of the ipv6 | |||
| working group and, in particular, Ran Atkinson, Matt Crawford, Steve | working group and, in particular, Ran Atkinson, Matt Crawford, Steve | |||
| Deering, Allison Mankin, Peter Bieringer, Jari Arkko, Pekka Nikander, | Deering, Allison Mankin, Peter Bieringer, Jari Arkko, Pekka Nikander, | |||
| Pekka Savola, Francis Dupont, Brian Haberman, Tatuya Jinmei and | Pekka Savola, Francis Dupont, Brian Haberman, Tatuya Jinmei and | |||
| Margaret Wasserman for their detailed comments. | Margaret Wasserman for their detailed comments. | |||
| 14. References | 10. References | |||
| 14.1 Normative References | 10.1. Normative References | |||
| [ADDRARCH] | [ADDRARCH] | |||
| Hinden, R. and S. Deering, "Internet Protocol Version 6 | Hinden, R. and S. Deering, "Internet Protocol Version 6 | |||
| (IPv6) Addressing Architecture", RFC 3513, April 2003. | (IPv6) Addressing Architecture", RFC 3513, April 2003. | |||
| [ADDRCONF] | [ADDRCONF] | |||
| Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | |||
| Address Autoconfiguration", draft-ietf-ipv6-rfc2462bis-07 | Address Autoconfiguration", draft-ietf-ipv6-rfc2462bis-07 | |||
| (work in progress), December 2004. | (work in progress), December 2004. | |||
| [DISCOVERY] | [DISCOVERY] | |||
| Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", | "Neighbor Discovery for IP version 6 (IPv6)", | |||
| draft-ietf-ipv6-2461bis-02 (work in progress), | draft-ietf-ipv6-2461bis-02 (work in progress), | |||
| February 2005. | February 2005. | |||
| [IPSEC] Kent, S. and R. Atkinson, "Security Architecture for the | ||||
| Internet Protocol", RFC 2401, November 1998. | ||||
| [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | |||
| April 1992. | April 1992. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", RFC 2119, March 1997. | Requirement Levels", RFC 2119, March 1997. | |||
| 14.2 Informative References | 10.2. Informative References | |||
| [ADDR_SELECT] | [ADDR_SELECT] | |||
| Draves, R., "Default Address Selection for Internet | Draves, R., "Default Address Selection for Internet | |||
| Protocol version 6 (IPv6)", RFC 3484, February 2003. | Protocol version 6 (IPv6)", RFC 3484, February 2003. | |||
| [CGA] Aura, T., "Cryptographically Generated Addresses (CGA)", | [CGA] Aura, T., "Cryptographically Generated Addresses (CGA)", | |||
| RFC 3972, March 2005. | RFC 3972, March 2005. | |||
| [COOKIES] Kristol, D. and L. Montulli, "HTTP State Management | [COOKIES] Kristol, D. and L. Montulli, "HTTP State Management | |||
| Mechanism", RFC 2965, October 2000. | Mechanism", RFC 2965, October 2000. | |||
| skipping to change at page 30, line 24 ¶ | skipping to change at page 26, line 22 ¶ | |||
| October 2004. | October 2004. | |||
| [ONION] Reed, MGR., Syverson, PFS., and DMG. Goldschlag, "Proxies | [ONION] Reed, MGR., Syverson, PFS., and DMG. Goldschlag, "Proxies | |||
| for Anonymous Routing", Proceedings of the 12th Annual | for Anonymous Routing", Proceedings of the 12th Annual | |||
| Computer Security Applications Conference, San Diego, CA, | Computer Security Applications Conference, San Diego, CA, | |||
| December 1996. | December 1996. | |||
| [RANDOM] Eastlake, D., Crocker, S., and J. Schiller, "Randomness | [RANDOM] Eastlake, D., Crocker, S., and J. Schiller, "Randomness | |||
| Recommendations for Security", RFC 1750, December 1994. | Recommendations for Security", RFC 1750, December 1994. | |||
| [RFC2526] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast | ||||
| Addresses", RFC 2526, March 1999. | ||||
| [SEND] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | [SEND] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | |||
| Neighbor Discovery (SEND)", RFC 3971, March 2005. | Neighbor Discovery (SEND)", RFC 3971, March 2005. | |||
| [ULA] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast | [ULA] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast | |||
| Addresses", draft-ietf-ipv6-unique-local-addr-09 (work in | Addresses", draft-ietf-ipv6-unique-local-addr-09 (work in | |||
| progress), January 2005. | progress), January 2005. | |||
| Authors' Addresses | Authors' Addresses | |||
| Thomas Narten | Thomas Narten | |||
| skipping to change at page 32, line 41 ¶ | skipping to change at page 28, line 41 ¶ | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Copyright Statement | Copyright Statement | |||
| Copyright (C) The Internet Society (2005). This document is subject | Copyright (C) The Internet Society (2006). This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 46 change blocks. | ||||
| 201 lines changed or deleted | 91 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||