From nobody Tue Jan 27 21:08:14 2026 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f0ygH5cvZz6QQrJ for ; Tue, 27 Jan 2026 21:08:27 +0000 (UTC) (envelope-from pmh@hausen.com) Received: from mail2.pluspunkthosting.de (mail2.pluspunkthosting.de [217.29.33.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4f0ygG24ZSz3gxq for ; Tue, 27 Jan 2026 21:08:26 +0000 (UTC) (envelope-from pmh@hausen.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of pmh@hausen.com designates 217.29.33.228 as permitted sender) smtp.mailfrom=pmh@hausen.com Received: from smtpclient.apple (87.138.185.145) by mail2.pluspunkthosting.de (Axigen) with (ECDHE-RSA-AES256-GCM-SHA384 encrypted) ESMTPSA id 057F56; Tue, 27 Jan 2026 22:08:25 +0100 Content-Type: text/plain; charset=us-ascii List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.300.41.1.7\)) Subject: Re: we should enable RFC7217 by default From: "Patrick M. Hausen" In-Reply-To: Date: Tue, 27 Jan 2026 22:08:14 +0100 Cc: freebsd-current@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <45359118-7492-457D-A9A0-CFA37EBA125B@hausen.com> References: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org> <0f5fcd3d-b189-49f5-ac81-d4fb48d90a77@FreeBSD.org> <39a63487-ee9a-4792-a787-d476ae6f6a0c@plan-b.pwste.edu.pl> To: Marek Zarychta X-Mailer: Apple Mail (2.3864.300.41.1.7) X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.02 / 15.00]; NEURAL_HAM_SHORT(-0.95)[-0.948]; NEURAL_HAM_MEDIUM(-0.81)[-0.811]; MV_CASE(0.50)[]; NEURAL_HAM_LONG(-0.46)[-0.456]; R_SPF_ALLOW(-0.20)[+a:mail2.pluspunkthosting.de]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:16188, ipnet:217.29.32.0/20, country:DE]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; DMARC_NA(0.00)[hausen.com]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4f0ygG24ZSz3gxq Hi! > Am 27.01.2026 um 21:55 schrieb Patrick M. Hausen : >=20 > HI all, >=20 > Am 27.01.2026 um 21:46 schrieb Marek Zarychta = : >=20 >> To narrow the impact, I suggest switching to the MAC address as the = default key source instead of the interface name. >=20 > If I read the relevant RFC correctly the main argument for stable = addresses in contrast to > traditional EUI-64 is the narrowing of the search space in sweep scan = attacks. > Because the OUIs which make up half of the order of magnitude are well = known. >=20 > Isn't that the case, too, if we start with the MAC address and the = hash algorithm > by which the final address is generated is public? I was probably jumping to conclusions to quickly - interface names are = also quite predictable. So what kind of "real entropy" is intended to bring into = the hash? Host UUID probably? Kind regards, Patrick=