From the recommendations document:<p>> The assigned IPv6 address incorporates media access control (MAC) address information from the network interface and may allow for host identification via interface ID, network interface card, or host vendor.<p>How long has it been since NSA has looked at generally-available OSs with IPv6 support? IPv6 "Privacy Addresses" are a thing that's on-by-default everywhere (and a damn thorn in my side). SLAAC has been using a identifier that's a combination of a randomly-generated ID and the subnet that the address is being generated for rather than the MAC address of the NIC for address generation for ages. (This is yet another thing that I revert back to the old behavior.)<p>They go on to recommend disabling SLAAC and using only DHCPv6. Does NSA know something exploitable about common DHCPv6 implementations that we don't? ;)<p>> ...a dual stack DNS implementation may need to support both A and AAAA
records.<p>It's weird to say "dual stack DNS implementation". DNS servers can store A and AAAA records, regardless of whether their host is doing "dual stack" addressing or not. (If yours cannot, then by golly, you fucked up when you wrote your DNS server.)
Slightly off topic but IPV6 is a massive security hole for regular consumers. NATs sucked when you trying to connect to your favorite MMO but that is because they created a default drop rule for all special inbound ports.<p>I was shocked to see that as soon as your ISP switched to IPV6, your host is now directly addressed. As a by product of skipping NAT you are now relying on every machine having proper firewall settings. [UPDATE: or the router drops incoming IPV6 connections w/ it's firewall]<p>Just think about how many windows machines out there have Remote desktop enabled but were only safe because they were not publicly accessible or the hospital machines that are still running windows XP. God help us.