Enable IPv6 Privacy Extensions by default
Garrett Wollman
wollman at bimajority.org
Thu Jun 15 02:09:09 UTC 2017
<<On Tue, 13 Jun 2017 22:14:21 -0700, Rui Paulo <rpaulo at me.com> said:
> Pretty sure these problems have been addressed by now, given the amount
> of computers, smart phones, tablets, etc. running with privacy
> extensions enabled.
They've been "fixed" mostly by hiding big networks behind NATs and
leaving them IPv4-only. And in some enterprises by implementing
DHCPv6. (We haven't done the latter but expect to if I can ever get
the time.)
There have been no fixes to the NDP or MLD protocols that would make
"privacy" addresses as specified safe to use in large networks, and
it's highly unlikely that there ever will be, given that fixing the
protocols would set back IPv6 adoption even further.
When I first ran into this, people seriously said things to me like
"duh, obviously every office in your building should have its own
separate /64". I kid you not. That was the recommended "solution":
broadcast domains with two or three machines on them. That's fine for
your home network hanging off a cable modem, not OK for an office
building with a thousand people and twice that many computers in it.
-GAWollman
More information about the freebsd-net
mailing list