Re: Comments on <draft-gont-6man-stable-privacy-addresses-01>

Fernando Gont <> Fri, 20 April 2012 17:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E9B8421F85EA for <>; Fri, 20 Apr 2012 10:47:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3rVUJDaSlxjl for <>; Fri, 20 Apr 2012 10:47:07 -0700 (PDT)
Received: from (unknown [IPv6:2a02:27f8:1025:18::232]) by (Postfix) with ESMTP id E1F1F21F85E7 for <>; Fri, 20 Apr 2012 10:47:06 -0700 (PDT)
Received: from [2001:5c0:1000:a::5eb] by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <>) id 1SLHvF-0005SO-IG; Fri, 20 Apr 2012 19:47:05 +0200
Message-ID: <>
Date: Fri, 20 Apr 2012 14:46:51 -0300
From: Fernando Gont <>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Bob Hinden <>
Subject: Re: Comments on <draft-gont-6man-stable-privacy-addresses-01>
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: IPv6 WG Mailing List <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Apr 2012 17:47:08 -0000

Hi, Bob,

On 04/20/2012 02:26 PM, Bob Hinden wrote:
>> For example, consider an attacker remotely-scanning the v6-enabled
>> IETF meeting network. He'd probably target:
>> * Apple's (Macs, iPads, iPhones) * Dell's * IBM's * HP's *
>> Toshiba's * Samsung's
> I agree, I would do that too :-)
> However, it also depends a lot on how many companies IDs each vendor
> has and how they allocate them to their devices.

Of the top of my head, they use OUIs mostly sequentially. So, e.g., the
first OUI assigned to, say, Apple, in unlikely to be in actual use nowadays.

That aside, scanning a network such as "the IETF meeting network" is
kind of "the worst case scenario", since there are heterogeneous
systems. In a typical organizational scenario, you have, at most, a few
providers (they make large purchases from the same vendor).

> For example, I looked at
> and did a search for Apple and found about 150 assigned company_id's.
> [Note: It's "about" because some companies have "Apple" in their
> address]. 

I will double-check... But most of the cases I checked didn't have more
than 10 OUIs or so.

> The IEEE page also says: "Firms and numbers listed may not
> always be obvious in product implementations, as some manufacturers
> subcontract component manufacture and others include registered firm
> OUIs in their products."

Yes, but as the idea develops, it wouldn't be hard to imagine an "OUI
matrix" document (or watchamacallit :-) ) that maps vendors to OUIs in a
more precise way.

> The point I am trying to make here is that we should characterize the
> risk here accurately.  It's not as simple as get one company_id and
> then start scanning.

As far as I've checked, it can work pretty well that way. That said, as
noted by Ray, it's not that the lower 24 bits are selected in a random
order, but rather sequentially. So you don't even need to search the
24-bit space linearly: Take samples "randomly", and once you find an
alive host, try sequential addresses starting from there.

That said, it's not as bad as "this company has 10 OUIs, and I need to
go through all of them".

(I will try to get more experimental data, anyway).

>> and he'd already discover a fair share of the hosts connected to
>> the network.
>> Certainly not perfect, certainly harder than in IPv4, but still
>> feasible.
>> Now, if the same nodes implemented 
>> draft-gont-6man-stable-privacy-addresses, the attacker would be
>> better off trying something else.
> Agreed.  It also hides the company_id.

Exactly. And the search space becomes 64 bits (well, 63, since there's
the U/L bit), with no patterns. -- That's a whole different game.

>> Being able to benefit from the increase IPv6 address space to
>> mitigate host-scanning attacks would be a good thing, and an
>> improvement over IPv4.
> Agreed.


Best regards,
Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492