On Thu, 5 May 2005, Colm MacCarthaigh wrote:
>
> You know, you could bind a whole /64 to an interface, and use the
> 64-bits of host-space in the address for state-storage and
> instruction-matching. An FSM using "interface=" and $interface_address
> with Exim sending mails to itself for transitions should be well-doable
> ;)
:-)
I have a very stale patch for FreeBSD which allows you to alias an IPv4
network onto an interface, which we used at Demon for large-scale virtual
web hosting in the days before HTTP/1.1 was sufficiently common. At one
point homepages.demon.co.uk had 192K IP addresses (2 /16s and 2 /18s). One
of the things I have way down near the bottom of my todo list is updating
the patch for IPv6 so that you can play the kind of games you mention.
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/12071
Another thing worth looking at is RFC 3972 which documents crypto-
graphically generated addresses for use in the secure neighbour discovery
protocol.
This idea could also be useful for extra security in UDP protocols (e.g.
the DNS). DJBDNS gets extra security by randomly allocating both the local
port and the DNS query ID, to give about 30 bits of randomness. It could
get loads more if it randomly allocated the local IP address too. OTOH
this is protecting against a fairly uninteresting DNS attack - there are
easier and more effective ways to spoof it.
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}