On 01/03/2011, at 1:23 AM, Brian Johnson wrote:
Can someone explain what exactly the security threat is?
If I see two IPv6 addresses which share the same 64 bit suffix, I can be reasonably certain that they both correspond to the same device because they'll both be generated by the same MAC address. Your IPv6 address has thereby become a token I can use to track your whereabouts, which is the kind of thing that privacy advocates often find upsetting. RFC4941 should be (but generally isn't) enabled by default. Having said that, implementation of RFC4941 is lossy. On MacOS, long-held TCP sessions time-out when a new privacy suffix is generated and the old one ages out. I'd have thought that a better outcome would be for old addresses to continue working until their refcount drops to zero.
If you are going to say that knowing the MAC address of the end device allows the "bad guy" to know what type of equipment you have and as such to attempt known compromises for said equipment, then please just don't reply. :)
It's not about that; there are already plenty of other attack vectors that can be used to find out someone's IP address, such as web-bugs, logfiles behind phishing and malware distribution websites, etc. The new attack vector which SLAAC with EUI64 creates is one of "trackability." I can't passively accumulate IPv4 logs which tell me which ISPs you've used, which cities you're in, which WiFi hotspots you've used, which companies you've worked at, which websites you've visited, etc. I can accumulate logs which tell me which IP addresses have done those things, but I can't (for example) correlate them to your personal smartphone. I can with IPv6. That's new, and (to my mind) threatening. We've not even begun to consider the attack vectors that'll open up. - mark -- Mark Newton Email: newton@internode.com.au (W) Network Engineer Email: newton@atdot.dotat.org (H) Internode Pty Ltd Desk: +61-8-82282999 "Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223