Re: [v6ops] Same interface ID under several prefixes
Fernando Gont <fgont@si6networks.com> Wed, 22 June 2022 20:47 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18252C15AAE6 for <v6ops@ietfa.amsl.com>; Wed, 22 Jun 2022 13:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.771
X-Spam-Level:
X-Spam-Status: No, score=-3.771 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.876, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPSCqUsnrO8T for <v6ops@ietfa.amsl.com>; Wed, 22 Jun 2022 13:46:58 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4CBC15AADA for <v6ops@ietf.org>; Wed, 22 Jun 2022 13:46:52 -0700 (PDT)
Received: from [IPV6:2001:67c:27e4:c::1000] (unknown [IPv6:2001:67c:27e4:c::1000]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 06CC7282110; Wed, 22 Jun 2022 20:46:45 +0000 (UTC)
Message-ID: <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com>
Date: Wed, 22 Jun 2022 17:46:42 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Fernando Gont <fernando@gont.com.ar>, IPv6 Operations <v6ops@ietf.org>
References: <1f96f6d6-1c9a-0b18-acf2-dc7d0041ee3b@gmail.com> <78898acb-70b4-7e2d-a8ef-c47efde962e6@si6networks.com> <4821e89b-d64c-5e98-b2d7-a72437325045@gmail.com> <8c208ed1-5bcb-85f8-4b13-2465e160e655@gont.com.ar> <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Og-cf_5FxbTvH27ABIdhuxqzako>
Subject: Re: [v6ops] Same interface ID under several prefixes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2022 20:47:03 -0000
Hi, Brian, MacOS and OpenBSD also implement RFC7217/RFC8064. For embedded devices (e.g. printers), they are probably based on older versions of the Linux kernel, and probably RFC7217 has not (and will not) be back-ported to them -- so it'll take time for these devices to adopt RFC7217. As for Android, there might be a similar issue going on -- but certainly Lorenzo or Erik will be in a better position to tell. So my "concern" would probably be just the lack of support in Windows. P.S.: When it comes to Linux, it's more than just the kernel -- e.g. there's an implementation in dhcpcd (that's what you probably see in Raspberry Pi), and an implementation in NetworkManager (and there might be one in systemd-networkd). Thanks, Fernando On 21/6/22 19:56, Brian E Carpenter wrote: > Hi, > > I've done a little survey on my home network, and I don't find the results > very encouraging for RFC7217/RFC8064 deployment. In summary, there is > some usage of pseudorandom IDs, but only Linux deserves a gold star > (the PI is also Linux): > > Linux 5.4.0 - 3 different IIDs for GUA, ULA, LLA > Raspberry PI - 3 different IIDs for GUA, ULA, LLA > Android 7 - same IID for GUA, ULA; different for LLA (EUI64) > Android 11 - same IID for GUA, ULA; different for LLA (EUI64) > Windows 10* - same IID for GUA, ULA, LLA > FritzBox 7530 - same IID for GUA, ULA, LLA (EUI64) > Samsung TV s6 - same IID for GUA, LLA (EUI64, but also temporary IID for > GUA & ULA) > Chromecast 2 - LLA only (EUI64) > Canon TS5100 - LLA only (EUI64) > > * with temporary addresses switched off > > Regards > Brian Carpenter > > On 18-Jun-22 10:20, Fernando Gont wrote: >> On 17/6/22 17:51, Brian E Carpenter wrote: >> [...] >>>> >>>> I assume they don't claim to implement RFC7217. -- If they did, then >>>> yes, it would be fair to call that a bug. :-) >>> >>> Right, it would be fairer to call it a potential privacy vulnerability >>> (discover one address, get another one free of charge). >> >> Indeed, their mechanism allows for host-tracking: i.e., once you know >> the token, you can predict what's the address that that node would >> configured if it connected to a given network. >> >> >>> I don't regard >>> it as a very serious problem that an outsider can learn my ULA or >>> LLA. >> >> The biggest problem is that once the attacker learns your token, e.g., >> he can test whether you're connected to e.g. the IETF conference network >> by e.g. pinging PREFIX::your_token. >> >> >> >>> Kudos to MS, anyway, for having moved to pseudo-random IIDs very early, >>> before RFC7217 in fact. >> >> Yes, that was the point I was trying to make! >> >> Thanks, > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [v6ops] Same interface ID under several prefixes Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Mark Smith
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Mark Smith
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… tom petch
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont