>Philip Homburg pointed out that, although impractical to determine the >Client IP before Client Cookie construction, it is feasible for a Client >to detect it when it learns a Server Cookie from a specific Server. It >can subsequently be tried to be reused for the same Server which will >fail if the Client IP has changed. > >This new (and practically implementable) requirement does not only >enhance privacy and make DNS Cookies work with the IPv6 Privacy >Extensions (by preventing tracking), it also makes them work in other >environments where Client source IP can change frequently, such as in >setups with multiple outgoing gateways.
Note that my preference was a pseudo-random client cookie. I can see two issues with the current approach: 1) I'm not sure this actually fixes the IPv6 privacy extensions problem. The same client cookie can be used on different addresses if the server doesn't support cookies and the client at some point forgets that the server doesn't support cookies (and sends the server the same client cookie after a new privacy address is generated). 2) As an extension of the previous, if no server supports cookies, then the client will not change the Client Secret and continues to use the same client cookie after it moves to new location. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
