Mac OS X 10.7, still no DHCPv6

Owen DeLong owen at delong.com
Tue Mar 1 01:34:27 CST 2011


On Feb 28, 2011, at 9:23 PM, Mark Newton wrote:

> 
> On 01/03/2011, at 1:23 AM, Brian Johnson wrote:
> 
>> Can someone explain what exactly the security threat is?
> 
> 
> If I see two IPv6 addresses which share the same 64 bit suffix,
> I can be reasonably certain that they both correspond to the same
> device because they'll both be generated by the same MAC address.
> 
> Your IPv6 address has thereby become a token I can use to track
> your whereabouts, which is the kind of thing that privacy advocates
> often find upsetting.
> 
Correct.

> RFC4941 should be (but generally isn't) enabled by default.
> 
Incorrect.

> Having said that, implementation of RFC4941 is lossy.  On MacOS,
> long-held TCP sessions time-out when a new privacy suffix is 
> generated and the old one ages out.  I'd have thought that a
> better outcome would be for old addresses to continue working
> until their refcount drops to zero.
> 
I'm not sure addresses maintain a refcount in that way and it might
not be so easy for the thing cleaning the address off the interface
to find the open connections at the time. Also, since this probably
happens in protected sections of the kernel, you probably want it
to happen pretty quickly and adding baggage is anathema to
speed.
> 
> The new attack vector which SLAAC with EUI64 creates is one of
> "trackability."  I can't passively accumulate IPv4 logs which tell me
> which ISPs you've used, which cities you're in, which WiFi hotspots
> you've used, which companies you've worked at, which websites you've
> visited, etc.
> 
True, you have to use a cookie or a Javascript that reports the Mac
Address to do that. :p

> I can accumulate logs which tell me which IP addresses have done those
> things, but I can't (for example) correlate them to your personal 
> smartphone.
> 
Unless...

> I can with IPv6.
> 
More accurate to say "It's easier with IPv6 and SLAAC."

> That's new, and (to my mind) threatening.  We've not even begun to 
> consider the attack vectors that'll open up.
> 
It's not new. It's not all that threatening. It's just easier.

We've begun to consider it. That's why paranoid people do things like
turning off cookies. I suspect you probably think browsers should ship
with a default of "don't accept cookies", too.

Privacy addresses create quite a bit of ugliness and are a miscreants
wet dream. They're a MAC forwarding table DOS looking for a place
to happen. They're probably a necessary evil for a limited subgroup
of users, but, not something which should, generally, be enabled by
default.

Of course, because that's the case, Micr0$0ft has seen fit to do exactly
that.

Owen





More information about the NANOG mailing list