Mac OS X 10.7, still no DHCPv6

Mark Newton newton at internode.com.au
Tue Mar 1 05:23:47 UTC 2011 

On 01/03/2011, at 1:23 AM, Brian Johnson wrote:

> Can someone explain what exactly the security threat is?


If I see two IPv6 addresses which share the same 64 bit suffix,
I can be reasonably certain that they both correspond to the same
device because they'll both be generated by the same MAC address.

Your IPv6 address has thereby become a token I can use to track
your whereabouts, which is the kind of thing that privacy advocates
often find upsetting.

RFC4941 should be (but generally isn't) enabled by default.

Having said that, implementation of RFC4941 is lossy.  On MacOS,
long-held TCP sessions time-out when a new privacy suffix is 
generated and the old one ages out.  I'd have thought that a
better outcome would be for old addresses to continue working
until their refcount drops to zero.

> If you are going to say that knowing the MAC address of the end device allows the "bad guy" to know what type of equipment you have and as such to attempt known compromises for said equipment, then please just don't reply. :)

It's not about that;  there are already plenty of other attack vectors
that can be used to find out someone's IP address, such as web-bugs, 
logfiles behind phishing and malware distribution websites, etc.

The new attack vector which SLAAC with EUI64 creates is one of
"trackability."  I can't passively accumulate IPv4 logs which tell me
which ISPs you've used, which cities you're in, which WiFi hotspots
you've used, which companies you've worked at, which websites you've
visited, etc.

I can accumulate logs which tell me which IP addresses have done those
things, but I can't (for example) correlate them to your personal 
smartphone.

I can with IPv6.

That's new, and (to my mind) threatening.  We've not even begun to 
consider the attack vectors that'll open up.

  - mark

--
Mark Newton                               Email:  newton at internode.com.au (W)
Network Engineer                          Email:  newton at atdot.dotat.org  (H)
Internode Pty Ltd                         Desk:   +61-8-82282999
"Network Man" - Anagram of "Mark Newton"  Mobile: +61-416-202-223

More information about the NANOG mailing list