XPost: comp.dcom.lans.ethernet   
   From: redelm@ev1.net.invalid   
      
   In comp.dcom.lans.ethernet Morten Reistad  wrote in part:   
   > Robert Redelmeier   wrote:   
   >>> "security by obscurity" does not work, nor does it provide   
   >>> anonymity.   
   >>   
   >>I disagree with this meme.  There is no absolute security or   
   >>anonymity by _any_ means.  All can be penetrated by sufficiently   
   >>advanced countermeasures.  Security is a continuum, not discrete.   
   >>The point is to elevate the cost of the attack such that it is   
   >>not in widespread use, especially long after the fact.   
   >   
   > With "security by obscurity" you make a dent in the   
   > continuum.  It may work for a while, until someone finds out   
   > what you are doing, and then the "security" implodes. Much   
   > like a virus attack.   
      
   "Obscurity" is not a single thing -- even crypto keys may  be   
   said to be only obscure and not secure.  Obscurity may be very   
   obscure when humans have to get involved to retrieve logs.   
   Not at all like an automated attack.   
      
   >>In this sense the horrible mixup that is DHCP and NAT are   
   >>useful obscurants.  Furthermore, they are pretty much obligatory   
   >>under IPv4.  Under IPv6, an interventionist government (who else   
   >>controls the police?)  could easily ban all the privacy extentions   
   >>and refuse to pass/flag packets with scrambled MACs.   
   >   
   > So, tell me, how are they to avoid this; considering that   
   > this is a default behaviour in the latest windows versions?   
      
   I would be _very_ surprised if MAC scrambling were part   
   of MS-Windows in any default config.  A number of [cable]   
   ISPs still use MAC for authentication, as do a number of   
   corporate router security schemes.  MS may be many things,   
   but they usually default in favor of their direct customers   
   (PC mfrs) interests -- reducing support calls.   
      
   > And, if you use something like openbsd, there are no bits   
   > saying "this is a scrambled mac address". You cannot filter   
   > what isn't tagged in the first place.   
      
   Sure you can -- whitelist rather than blacklist on border routers.   
   No good MAC -- bitbucket or worse.   
      
   > No, ipv6 will live in the fringes, just like ipv4 did from 1986   
   > to 1995. Meanwhile ipv4 will decay to become a nightmare for   
   > anyone doing stuff that is only slightly beyond mainstream.   
      
   And only when IPv4 becomes totally unworkable for a critical   
   mass of users (~30%?) will the switch happen.   
      
   > Already you can expect your external IP to flap wildly on   
   > some carrier implementations.   
      
   "wildly" is a vague adjective -- how fast?  I've seen some DHCPs   
   last _years_ although most last only days/week.  For current   
   services, I see little problem and in fact _benefits_ for the ISP   
   -- they charge more for static IPs, and relatively few users need   
   external accessiblity.  For those few, DDNS and proprietary DNS   
   (Pogoplug/Cloud) work OK.  Most other users would rather _not_   
   have external access if they ever thought about it.  Perhaps   
   some compeling service will come along, but I don't see it.   
      
      
   -- Robert   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)