On Feb 28, 2011, at 9:23 PM, Mark Newton wrote:
On 01/03/2011, at 1:23 AM, Brian Johnson wrote:
Can someone explain what exactly the security threat is?
If I see two IPv6 addresses which share the same 64 bit suffix, I can be reasonably certain that they both correspond to the same device because they'll both be generated by the same MAC address.
Your IPv6 address has thereby become a token I can use to track your whereabouts, which is the kind of thing that privacy advocates often find upsetting.
Correct.
RFC4941 should be (but generally isn't) enabled by default.
Incorrect.
Having said that, implementation of RFC4941 is lossy. On MacOS, long-held TCP sessions time-out when a new privacy suffix is generated and the old one ages out. I'd have thought that a better outcome would be for old addresses to continue working until their refcount drops to zero.
I'm not sure addresses maintain a refcount in that way and it might not be so easy for the thing cleaning the address off the interface to find the open connections at the time. Also, since this probably happens in protected sections of the kernel, you probably want it to happen pretty quickly and adding baggage is anathema to speed.
The new attack vector which SLAAC with EUI64 creates is one of "trackability." I can't passively accumulate IPv4 logs which tell me which ISPs you've used, which cities you're in, which WiFi hotspots you've used, which companies you've worked at, which websites you've visited, etc.
True, you have to use a cookie or a Javascript that reports the Mac Address to do that. :p
I can accumulate logs which tell me which IP addresses have done those things, but I can't (for example) correlate them to your personal smartphone.
Unless...
I can with IPv6.
More accurate to say "It's easier with IPv6 and SLAAC."
That's new, and (to my mind) threatening. We've not even begun to consider the attack vectors that'll open up.
It's not new. It's not all that threatening. It's just easier. We've begun to consider it. That's why paranoid people do things like turning off cookies. I suspect you probably think browsers should ship with a default of "don't accept cookies", too. Privacy addresses create quite a bit of ugliness and are a miscreants wet dream. They're a MAC forwarding table DOS looking for a place to happen. They're probably a necessary evil for a limited subgroup of users, but, not something which should, generally, be enabled by default. Of course, because that's the case, Micr0$0ft has seen fit to do exactly that. Owen