Dear Editor, I enjoyed reading the article on "Address Authentication" in the March 2013 edition of The Internet Protocol Journal (Volume 16, No. 1), but I couldn't help thinking to myself how the widespread adoption of the use of IPv6 Privacy Addresses (RFC 4941) would affect some of the assertions in the article about the relative merits of using IPv6 addresses for authentication. With both Microsoft and Apple operating systems now implementing IPv6 Privacy Addresses, it is now effectively impossible for any user authentication service to assume that a presented IPv6 address is going to remain constant over time. It is probably safer to assume that such IPv6 addresses are in fact not constant at all, and not to use them in any context of authentication. Given that the widespread use of NATs in IPv4 leads one to the same basic conclusion about using IPv4 addresses for authentication, isn't the best advice these days to avoid "Address Authentication" as it is applied to Internet end users?
The author responds:
I agree with Geoff's comments. My article explores the idea that IPv6 may be more "trustworthy," but it concludes by recommending against using any IP address as a form of authentication.
IPv4 addresses will be far less "trustworthy" with the introduction of Carrier-Grade NATs or Large-Scale NATs. We will not be able to trust IPv6 addresses if the interface identifier changes frequently. My expectation is that most enterprises would prefer Dynamic Host Configuration Protocol for IPv6 (DHCPv6) with randomized interface identifiers, but most broadband Internet access subscribers will use a Customer Premises Equipment (CPE) that uses Stateless Address Autoconfiguration (SLAAC) and Stateless DHCPv6. IPv6 offers the ability to perform traceback to the /64 subnet level. That feature is only slightly better than IPv4 traceback.