Re: [6man] Stable privacy addresses (upcoming rev)

Fernando Gont <> Sat, 31 March 2012 12:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33BD721F867D for <>; Sat, 31 Mar 2012 05:50:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WWus5oBzDmMg for <>; Sat, 31 Mar 2012 05:50:56 -0700 (PDT)
Received: from (unknown [IPv6:2a02:27f8:1025:18::232]) by (Postfix) with ESMTP id 9B7AD21F8663 for <>; Sat, 31 Mar 2012 05:50:56 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <>) id 1SDxlR-00075b-9w; Sat, 31 Mar 2012 14:50:41 +0200
Message-ID: <>
Date: Sat, 31 Mar 2012 14:27:28 +0200
From: Fernando Gont <>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20120313 Thunderbird/3.1.20
MIME-Version: 1.0
To: Christian Huitema <>
Subject: Re: [6man] Stable privacy addresses (upcoming rev)
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Ray Hunter <>, "" <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 31 Mar 2012 12:50:57 -0000

On 03/31/2012 07:32 AM, Christian Huitema wrote:
>> If the regime controls the local-link, then as far as
>> address-tracking is concerned, you're toast. -- They could sniff
>> the network and log the address->MAC mappings, have RAs require you
>> to do DHCPv6 and then have DHCPv6 assign you a constant address,
>> etc.
> The obvious solution is to randomize the MAC address, and I would
> definitely want to do that when visiting untrusted networks.

Or use an external card or even a different system, use it, and destroy
and throw away. :-)

In any case, as noted by Ray, if you're really into the aforementioned
"regime" situation, randomizing the mac address is probably *not* #1 in
your set of priorities.

> Of course, randomizing the MAC address is necessary but not
> sufficient. There are many other ways in which our computer leak
> information. DHCP messages, for example, contains names and other
> identifiers. Computers connecting to a network issue a flurry of DNS
> lookups that can make for good signatures. Etc.

Exactly. That's why I said that if the regime controls the local link,
then, for the most part "game over". - If they don't, you can usually
tunnel somewhere else.

Fernando Gont
SI6 Networks
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492