Windows 11 now implements RFC 7217 (stable privacy addresses)!

Tue Dec 13 10:48:09 UTC 2022

Good news!
Good perspectives for the future...

But this thread remembered-me about RFC 3021 and Windows... Since December
2000.

https://social.technet.microsoft.com/Forums/en-US/6da37a2d-6884-4c3c-bdd5-1b8356edfced/windows-102019-non-compliant-with-rfc-3021-ipv4-31-subnet-mask?forum=winserverPN

Em ter., 13 de dez. de 2022 03:45, Fernando Gont <fgont at si6networks.com>
escreveu:

> Folks,
>
> After over 10 (yes, *ten*) years, we have finally addressed
> security/privacy issues in the generation of IPv6 stable addresses in
> most popular operating systems.
>
> The traditional scheme/algorithm to generate stable IPv6 addresses with
> SLAAC required that the underlying MAC address be employed to generate
> the Interface Identifier. That is, the underlying MAC address would be
> embedded in the lower bits of an IPv6 address.
>
> This scheme allowed for host-tracking (since MAC addresses are usually
> globally-unique), address scanning (since addresses will follow specific
> patterns) and a number of other issues.
>
> In 2011, I submitted an IETF Internet-Draft proposing a scheme for
> generating stable addresses with SLAAC, meant to replace the traditional
> scheme. The scheme could be summarised and simplified as: Interface_ID =
> Hash(Prefix, Secret). Thus, interface identifiers would be stable within
> the same subnet, but vary across subnets.
>
> [Replacing the traditional scheme with this new scheme was anything but
> easy -- if you're curious, please check the "IPv6 Addressing" section in
> <
> https://www.si6networks.com/2020/08/06/a-brief-history-of-recent-advances-in-ipv6-security-part-i/>
>
> ]
>
> Over time, popular operating systems and packages adopted the proposed
> algorithm: the Linux kernel, NetworkManager, OpenBSD's slaacd, MacOS,
> etc. Eventually, virtually every popular OS had adopted the scheme....
> except Windows.
>
> Based on a recent note by Brian Carpenter, I ended up testing Windows
> 11, and I can confirm that it does implement RFC 7217 / RFC 8064!
>
> Therefore, e.g. if multiple prefixes are employed on a subnet, the
> stable addresses for each of such prefixes will employ a different
> Interface Identifier, thus avoiding the security/privacy issues
> discussed above -- this is really good news!
>
> Unfortunately, Windows still generates temporary addresses with the
> algorithm specified in RFC 4941, thus resulting in all temporary
> addresses for a given interface employing the same Interface Identifier
> (!). This problem has been addressed in RFC 8981... but it's
> implementation is not yet widespread, yet (it has been incoporated in
> e.g. the Linux kernel, though).
>
> I just hope it doesn't take Windows and others yet another 10+ years to
> implement RFC 8981, to finally address the remaining security/privacy
> issues in IPv6 address generation!
>
> [Original article with screenshots:
>
> https://www.linkedin.com/posts/fernandogont_after-over-10-yes-ten-years-we-have-activity-7008316664207290368-Wcto
> ]
>
> Thanks!
>
> Regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20221213/a90d3b66/attachment.html>