IPv6 Interview Questions and critic
Hi: I'm doing an article on IPv6 and am looking for comments - here is a portion on IPv6 which relates to the privacy issue ... any comments, crtics or interviews welcomed. -- snip As you know IPv6 is a suite of protocols for the network layer of the Internet which uses IPv4 gateways. It's purpose is to expand address space. At this time IPv6 comes prepackaged with all popular operating systems. This includes all flavours of unix , windows and Mac OS. IPv6 is designed to solve many of the problems of the current version of IPv4 with regard to address depletion. The goal is to use IPv6 to expand the capabilities of the Internet to enable a variety of valuable peer-to-peer and mobile applications. According to many industry pundits it is the future of networking. However IPv6 has many privacy issues. IPv6 address space uses an ID (indentifier) derived from your hardware or phone. "That allows your packets to be traced back to your PC or cell-phone" said <censored>. <censored> fears abuse as a hardware ID wired into the ipv6 protocol can be used to determine the manufacturer, make and model number, and value of the hardware equipment being used by the end user. Ipv6 empowers the business community by providing a means of identifying and tracking users. Under Ipv6 users can be tracked and income demographics determined through hardware identification. Many members of the networking community have addressed concerns that the technology could result in potential abuse and <censored> warns users to think twice before they buy themselves a used Lap-Top computer and inherit all the prior surfing history of the previous user? Ipv6 uses 128 bits to provide addressing, routing and identification information on a computer. The 128-bits are divided into the left-64 and the right-64. Ipv6 uses the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company_id value and a 40-bit extension identifier assigned by the organization with that company_id assignment. The 48-bit MAC address of your network interface card is also used to make up the EUI64. -- snip Cheers Joe Baptista -- Planet Communications & Computing Facility a division of The dot.GOD Registry, Limited
ooh how exciting, you can tell who uses 3Com network cards :) Most networks eg P2P will use /127 and not use MAC anyway so I cant see this being a privacy on issue on anything but end devices and you can override if yuo feel the need... On end devices by default yes it uses mac, I cant see why this would be a real security hole.. vulnerabilities exist in the OS/Apps not the hardware. For the paranoid theres no reason why yuo cant manually assign the full IPv6 address anyhow, the use of MACs is only there to provide convenience so users dont need to configure their networks. NMAP fingerprinting is of far more interest than what NIC vendor whitehouse.gov uses (unless your doing market research on NIC cards I guess ;) Steve On Tue, 27 Aug 2002, Joe Baptista wrote:
Hi:
I'm doing an article on IPv6 and am looking for comments - here is a portion on IPv6 which relates to the privacy issue ... any comments, crtics or interviews welcomed.
-- snip As you know IPv6 is a suite of protocols for the network layer of the Internet which uses IPv4 gateways. It's purpose is to expand address space. At this time IPv6 comes prepackaged with all popular operating systems. This includes all flavours of unix , windows and Mac OS.
IPv6 is designed to solve many of the problems of the current version of IPv4 with regard to address depletion. The goal is to use IPv6 to expand the capabilities of the Internet to enable a variety of valuable peer-to-peer and mobile applications. According to many industry pundits it is the future of networking.
However IPv6 has many privacy issues. IPv6 address space uses an ID (indentifier) derived from your hardware or phone. "That allows your packets to be traced back to your PC or cell-phone" said <censored>. <censored> fears abuse as a hardware ID wired into the ipv6 protocol can be used to determine the manufacturer, make and model number, and value of the hardware equipment being used by the end user.
Ipv6 empowers the business community by providing a means of identifying and tracking users. Under Ipv6 users can be tracked and income demographics determined through hardware identification.
Many members of the networking community have addressed concerns that the technology could result in potential abuse and <censored> warns users to think twice before they buy themselves a used Lap-Top computer and inherit all the prior surfing history of the previous user?
Ipv6 uses 128 bits to provide addressing, routing and identification information on a computer. The 128-bits are divided into the left-64 and the right-64. Ipv6 uses the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company_id value and a 40-bit extension identifier assigned by the organization with that company_id assignment. The 48-bit MAC address of your network interface card is also used to make up the EUI64. -- snip
Cheers Joe Baptista
-- Planet Communications & Computing Facility a division of The dot.GOD Registry, Limited
----- Original Message ----- From: "Joe Baptista" <baptista@dot-god.com> To: <nanog@merit.edu> Sent: Tuesday, August 27, 2002 09:41 Subject: IPv6 Interview Questions and critic
Hi:
I'm doing an article on IPv6 and am looking for comments - here is a portion on IPv6 which relates to the privacy issue ... any comments, crtics or interviews welcomed.
-- snip As you know IPv6 is a suite of protocols for the network layer of the Internet which uses IPv4 gateways. It's purpose is to expand address space. At this time IPv6 comes prepackaged with all popular operating systems. This includes all flavours of unix , windows and Mac OS.
Windows? I don't think so, not yet anyways
IPv6 is designed to solve many of the problems of the current version of IPv4 with regard to address depletion. The goal is to use IPv6 to expand the capabilities of the Internet to enable a variety of valuable peer-to-peer and mobile applications. According to many industry pundits it is the future of networking.
However IPv6 has many privacy issues. IPv6 address space uses an ID (indentifier) derived from your hardware or phone.
Hmm - if you mean that there will now be enough addresses to assign each device its own IP6 Address - then yah. Other than that, how is it "derived" from the hardware.
Ipv6 empowers the business community by providing a means of identifying and tracking users. Under Ipv6 users can be tracked and income demographics determined through hardware identification.
Many members of the networking community have addressed concerns that the technology could result in potential abuse and <censored> warns users to think twice before they buy themselves a used Lap-Top computer and inherit all the prior surfing history of the previous user?
Hmm - again, I would be upset if I wasn't able to CHANGE the IP6 addy because this would be true.
From: "John Palmer" <nanog@adns.net> Date: Tue, 27 Aug 2002 09:52:01 -0500 Sender: owner-nanog@merit.edu
----- Original Message ----- From: "Joe Baptista" <baptista@dot-god.com> To: <nanog@merit.edu> Sent: Tuesday, August 27, 2002 09:41 Subject: IPv6 Interview Questions and critic
Hi:
I'm doing an article on IPv6 and am looking for comments - here is a portion on IPv6 which relates to the privacy issue ... any comments, crtics or interviews welcomed.
-- snip As you know IPv6 is a suite of protocols for the network layer of the Internet which uses IPv4 gateways. It's purpose is to expand address space. At this time IPv6 comes prepackaged with all popular operating systems. This includes all flavours of unix , windows and Mac OS.
Windows? I don't think so, not yet anyways
Yes, Windows. Today. Now. But you must explicitly enable it at this time. I have been told that it will come enabled sith Windows XP SP2. I don't know exactly when SP2 is scheduled for release. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
Kevin Oberman wrote:
Yes, Windows. Today. Now. But you must explicitly enable it at this time.
The one that ships with Win XP is quite seriously broken in it's resolver behaviour (you'll not be able to reach many IPv4 WWW sites after enabling it) and additionally none of the Windows services, which would make it useful within a corporate network, are IPv6 enabled.
I have been told that it will come enabled sith Windows XP SP2. I don't know exactly when SP2 is scheduled for release.
It would be nice if at that point one could get away with IPv6-only intranet with IPv4 proxy/NAT to the outside. But I don't see that happening with the rate of progress Windows has got anytime soon. Pete
R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
Joe,
Ipv6 uses 128 bits to provide addressing, routing and identification information on a computer. The 128-bits are divided into the left-64 and the right-64. Ipv6 uses the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company_id value and a 40-bit extension identifier assigned by the organization with that company_id assignment. The 48-bit MAC address of your network interface card is also used to make up the EUI64.
I'm definitely not an expert, but my understanding is that the left 64 bits are structured as a EUI64 "address" but are not REQUIRED to be your systems MAC address. By default, your system may choose to populate the bits with your MAC, but your system code also choose to populate it with something else. This gets around privacy issues (i.e. CNN being able to track my travel habits by watching their web server access logs) but it does pose some interesting issues for filtering at an Enterprise which wants to give certain levels of access to certain people. You might want to pose your question to one of the IPv6 mailing lists - either 6bone@ISI.EDU or users@ipv6.org. Eric :)
Date: Tue, 27 Aug 2002 10:41:08 -0400 (EDT) From: Joe Baptista <baptista@dot-god.com> Sender: owner-nanog@merit.edu
Hi:
I'm doing an article on IPv6 and am looking for comments - here is a portion on IPv6 which relates to the privacy issue ... any comments, crtics or interviews welcomed.
-- snip As you know IPv6 is a suite of protocols for the network layer of the Internet which uses IPv4 gateways. It's purpose is to expand address space. At this time IPv6 comes prepackaged with all popular operating systems. This includes all flavours of unix , windows and Mac OS.
IPv6 is designed to solve many of the problems of the current version of IPv4 with regard to address depletion. The goal is to use IPv6 to expand the capabilities of the Internet to enable a variety of valuable peer-to-peer and mobile applications. According to many industry pundits it is the future of networking.
However IPv6 has many privacy issues. IPv6 address space uses an ID (indentifier) derived from your hardware or phone. "That allows your packets to be traced back to your PC or cell-phone" said <censored>. <censored> fears abuse as a hardware ID wired into the ipv6 protocol can be used to determine the manufacturer, make and model number, and value of the hardware equipment being used by the end user.
Ipv6 empowers the business community by providing a means of identifying and tracking users. Under Ipv6 users can be tracked and income demographics determined through hardware identification.
Many members of the networking community have addressed concerns that the technology could result in potential abuse and <censored> warns users to think twice before they buy themselves a used Lap-Top computer and inherit all the prior surfing history of the previous user?
Ipv6 uses 128 bits to provide addressing, routing and identification information on a computer. The 128-bits are divided into the left-64 and the right-64. Ipv6 uses the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company_id value and a 40-bit extension identifier assigned by the organization with that company_id assignment. The 48-bit MAC address of your network interface card is also used to make up the EUI64. -- snip
This is really pretty silly. Only end nodes will auto-configure with the MAC address used for 48 bits of the IPv6 address. Exactly how this is a serious privacy issue continues to elude me, but I suppose that the paranoid may want to change it to some things else. (And change it on an hourly basis, if they are REALLY paranoid.) Nothing mandates the contents of the lower 64 bits of the IPv6 address. The use of the MAC address is a simple convenience so that you can just plug in an IPv6 system and run without need for a DHCP server or nay manual configuration. If you want to over-ride the MAC address portion, it's your business. God help us all if some discovers that I use both Intel and 3Com cards! (Not to mention Agere on occasion.) R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
"Kevin" == Kevin Oberman <oberman@es.net> writes:
Kevin> This is really pretty silly. Not really, Joe may actually have a point here. Kevin> Only end nodes will auto-configure with the MAC address Kevin> used for 48 bits of the IPv6 address. Exactly how this is a Kevin> serious privacy issue continues to elude me, but I suppose Kevin> that the paranoid may want to change it to some things Kevin> else. (And change it on an hourly basis, if they are REALLY Kevin> paranoid.) The reason for EUI64 is to provide a sensible default for the end system address. Yes it is possible for anyone with sufficient motivation to use something else, but the vast majority of users will just plug their in laptops and get an address. What information can be reconstructed from this? For a mobile user, you could construct a list of the providers and POPs that they tend to use. This means that when I use google, they can easily tell that I live in abc neighborhood and work at xyz company and tend to spend time surfing the web at my friend's place across town. That is, you can infer patterns of physical movement of the device and the user. The worry is not so much about the people with the technical savvy to randomize their addresses, but about everybody else that is not even aware that they're making themselves and their movements conveniently identifiable. Don't credit cards and cell phones do the same thing? Yes, it is the same problem. But in those cases, at least there are more barriers to getting at and using the information... In theory... Kevin> God help us all if some discovers that I use both Intel and Kevin> 3Com cards! (Not to mention Agere on occasion.) Just wait until you start getting targeted advertising from Realtek! ;) -w
On Tuesday, August 27, 2002, at 10:41 AM, Joe Baptista wrote:
Ipv6 uses 128 bits to provide addressing, routing and identification information on a computer. The 128-bits are divided into the left-64 and the right-64. Ipv6 uses the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company_id value and a 40-bit extension identifier assigned by the organization with that company_id assignment. The 48-bit MAC address of your network interface card is also used to make up the EUI64.
Since it so easy for a host (relative to ipv4) to have multiple ip addresses, I like what Microsoft has done. If told by a router, a Win XP box will assign itself a global unicast address using EUI-64. It will also create a global unicast anonymous address. This will not be tied to the hardware, and the OS will also limit how long it uses that address before deprecating that address and creating a new preferred anonymous address. I can see servers using the EUI-64 address, while clients use the anonymous address. It will allow servers to narrow down who is accessing their servers to a 64 bit subnet. That will be good enough for most statistics, but will make it more difficult to do the scarier tracking of users. I have noticed that the Linux and Mac OS X ipv6 implementations so not create the private addresses automatically. Peter Hill Network Engineer Carnegie Mellon University
On Tue, 27 Aug 2002 14:43:38 -0400 Peter John Hill <peterjhill@cmu.edu> wrote:
On Tuesday, August 27, 2002, at 10:41 AM, Joe Baptista wrote:
Ipv6 uses 128 bits to provide addressing, routing and identification information on a computer. The 128-bits are divided into the left-64 and the right-64. Ipv6 uses the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company_id value and a 40-bit extension identifier assigned by the organization with that company_id assignment. The 48-bit MAC address of your network interface card is also used to make up the EUI64.
Since it so easy for a host (relative to ipv4) to have multiple ip addresses, I like what Microsoft has done. If told by a router, a Win XP box will assign itself a global unicast address using EUI-64. It will also create a global unicast anonymous address. This will not be tied to the hardware, and the OS will also limit how long it uses that
Wasn't this described in an Internet draft ? Do you know what the status is - I cannot seem to find it. Marshall
address before deprecating that address and creating a new preferred anonymous address. I can see servers using the EUI-64 address, while clients use the anonymous address. It will allow servers to narrow down who is accessing their servers to a 64 bit subnet. That will be good enough for most statistics, but will make it more difficult to do the scarier tracking of users.
I have noticed that the Linux and Mac OS X ipv6 implementations so not create the private addresses automatically. Peter Hill Network Engineer Carnegie Mellon University
On Tue, 27 Aug 2002, Marshall Eubanks wrote:
Since it so easy for a host (relative to ipv4) to have multiple ip addresses, I like what Microsoft has done. If told by a router, a Win XP box will assign itself a global unicast address using EUI-64. It will also create a global unicast anonymous address. This will not be tied to the hardware, and the OS will also limit how long it uses that
Wasn't this described in an Internet draft ? Do you know what the status is - I cannot seem to find it.
RFC 3041. There's also http://playground.sun.com/pub/ipng/html/specs/ipv6-address-privacy.html
On Tuesday, August 27, 2002, at 05:07 PM, Marshall Eubanks wrote:
On Tue, 27 Aug 2002 14:43:38 -0400 Peter John Hill <peterjhill@cmu.edu> wrote:
On Tuesday, August 27, 2002, at 10:41 AM, Joe Baptista wrote:
Since it so easy for a host (relative to ipv4) to have multiple ip addresses, I like what Microsoft has done. If told by a router, a Win XP box will assign itself a global unicast address using EUI-64. It will also create a global unicast anonymous address. This will not be tied to the hardware, and the OS will also limit how long it uses that
Wasn't this described in an Internet draft ? Do you know what the status is - I cannot seem to find it.
http://www.ietf.org/rfc/rfc3041.txt Abstract Nodes use IPv6 stateless address autoconfiguration to generate addresses without the necessity of a Dynamic Host Configuration Protocol (DHCP) server. Addresses are formed by combining network prefixes with an interface identifier. On interfaces that contain embedded IEEE Identifiers, the interface identifier is typically derived from it. On other interface types, the interface identifier is generated through other means, for example, via random number generation. This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. Use of the extension causes nodes to generate global-scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier. Changing the interface identifier (and the global-scope addresses generated from it) over time makes it more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node.
Marshall
address before deprecating that address and creating a new preferred anonymous address. I can see servers using the EUI-64 address, while clients use the anonymous address. It will allow servers to narrow down who is accessing their servers to a 64 bit subnet. That will be good enough for most statistics, but will make it more difficult to do the scarier tracking of users.
I have noticed that the Linux and Mac OS X ipv6 implementations so not create the private addresses automatically. Peter Hill Network Engineer Carnegie Mellon University
participants (10)
-
Eric Gauthier
-
Iljitsch van Beijnum
-
Joe Baptista
-
John Palmer
-
Kevin Oberman
-
Marshall Eubanks
-
Peter John Hill
-
Petri Helenius
-
Stephen J. Wilcox
-
William Waites