Note:The IESG approved the above document as a Proposed Standard on December 6, 2000 .
Steve Deering
& Bob Hinden
(deering@cisco.com, hinden@iprg.nokia.com)
Co-Chairs of the IETF's IP Next Generation Working Group
November 6, 1999
The privacy of communication is a major issue in the Internet Engineering Task Force (IETF) and has inspired much of the IETF's recent work on security technology. Concern about privacy has lead to recent press reports concerning the use of "unique serial numbers" in IPv6 addresses. Unfortunately these reports have in some cases been inaccurate and misleading. Yes, one of the several methods of assigning IPv6 addresses uses factory-assigned, unique serial numbers as part of the address, but NO, not all IPv6 packets are required to carry such addresses.
In particular, communication initiated by an IPv6 device, such as requesting a web page or accessing an email server, is NOT required to include or reveal any unique serial numbers of the initiating device. As an alternative to the kind of address that contains a serial number, the initiating device may use any of the kinds of addresses currently used in IPv4, e.g., manually assigned, or dynamically assigned -- perhaps only temporarily -- by an address server such as DHCP or by a dial-up ISP. It may also use a new kind of address, available only in IPv6, that contains a random number in place of the factory-assigned serial number.
The kind of IPv6 address that contains a random number was introduced into the IPv6 development process earlier this year, precisely because of concerns in the IETF about the same privacy issues that have more recently been raised in the press. The full details of how and when this new kind of address will be used have not been standardized as yet (perhaps this is why the writers of some of the recent press articles were apparently unaware of it), but we expect that to happen soon, and to be widely implemented by vendors of IPv6-capable devices well before widespread deployment of IPv6. For more information about this new kind of address, see:
Note:The IESG approved the above document as a Proposed Standard on December 6, 2000 .
An Internet device that is intended to be a target of communication initiated by other devices must have a unique IP address that is stable over a relatively long period of time, just like anyone wishing to receive telephone calls must have a unique and stable telephone number, and anyone wishing to receive postal mail delivery must have a unique and stable postal address. The presence of unique, factory-assigned serial numbers on common LAN adapters, such as Ethernet adaptors, makes it possible to reliably generate unique, stable IPv6 addresses for such devices, without requiring either manual configuration or separate address-assignment servers.
An Internet device that is NOT intended to be a target of communication, i.e., a device that is only an initiator of communication, may also have a unique, stable IP address, but is not required to do so. It is sufficient for such a device to have a temporary address that is valid only for as long as a specific communication session, and that address may be shared among a number of different, initiator-only devices at different times.
In today's Internet, many devices are initiators only. The most common example of this is the dial-up home PC. (Dial-up devices are not very useful as targets, since they are disconnected from the Internet most of the time.) However, we expect that situation to become less common in the future, as dial-up Internet access is replaced by "always on" access technologies like cable and DSL, enabling consumers to run their own Internet-visible servers, and as new applications like IP telephony are deployed, in which many more devices become potential targets for communication. Therefore, in the future IPv6-based Internet, we expect many devices to have two kinds of IP addresses: