security in stateless autoconfiguration

[itojun@iijlab.net]

Terry,

>For IPv4, I think the security argument is specious; in
>particular, it's most likely that any ad hoc networking
>will find itself occurring behind a network address
>translation perimeter, if it finds itself with WAN access
>at all.
>For IPv6, there is a very real danger that ad hoc networks
>will find themselves with non-translated addresses that
>give them WAN connectivity.
>I will go further: this _will_ happen.  It is expedient,
>it is convenient, and it is less work than the alternative.
>The only issue is whether your products let them have a
>reverse mapping, or not.  If not, and it is found to be an
>inconvenience, they will buy someone else's products, and
>your point of view loses dejure instead of defacto.

	What do you referring here with the word "security"?  There are many
	"security"-ish things involved here;

	- security of stateless autoconfiguration itself:
		- malicious end node that visits Ethernet hookup in dentist
		  office will get access to other node in the dentist office.
		- (similarly) mailicious user will get global address
		  by stateless autoconfig.
	- malicious router connected to dentist office network will be able to
	  capture every outgoing packets from the dentist office
	- end node at dentist office will automatically be visible to
	  worldwide by using stateless autoconfig

	I suspect you meant the last one, but that is not the only one.
	And the last one is not really true I believe.
	You can announce RAs with site-local prefixes to avoid end nodes to
	be visible from outside world.  I agree that there's no per-host policy
	control about the reachability (there's subnet-grain control only),
	but stateless autoconfig does not always mean worldwide reachability.

	And you seem to say that IPv4 world is safe because you have NAT.
	NAT does not provide security at all.  Malicious outside node can
	inject the inside node any tcp options as he like.

	I maybe missing your point....

itojun