IETF Logo Mail Archive

Re: [v6ops] Same interface ID under several prefixes - Win11 and VSLAAC?

Alexandre Petrescu <alexandre.petrescu@gmail.com> Sun, 20 November 2022 11:39 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1128C14F73D for <v6ops@ietfa.amsl.com>; Sun, 20 Nov 2022 03:39:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.628
X-Spam-Level:
X-Spam-Status: No, score=-1.628 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHbPfE7_LRBH for <v6ops@ietfa.amsl.com>; Sun, 20 Nov 2022 03:39:21 -0800 (PST)
Received: from sainfoin-smtp-out.extra.cea.fr (sainfoin-smtp-out.extra.cea.fr [132.167.192.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 638F0C14F72F for <v6ops@ietf.org>; Sun, 20 Nov 2022 03:39:20 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 2AKBdG5j040567; Sun, 20 Nov 2022 12:39:16 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id E75962016CE; Sun, 20 Nov 2022 12:39:16 +0100 (CET)
Received: from muguet1-smtp-out.intra.cea.fr (muguet1-smtp-out.intra.cea.fr [132.166.192.12]) by pisaure.intra.cea.fr (Postfix) with ESMTP id CBD86200C3F; Sun, 20 Nov 2022 12:39:16 +0100 (CET)
Received: from [10.11.240.30] ([10.11.240.30]) by muguet1-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 2AKBdB20048585; Sun, 20 Nov 2022 12:39:11 +0100
Content-Type: multipart/alternative; boundary="------------tTysnLeUXgLmBQaxdxUnulGr"
Message-ID: <4d0fe704-993b-2b2a-93d4-f11085df76fe@gmail.com>
Date: Sun, 20 Nov 2022 12:39:11 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
Content-Language: fr
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, v6ops@ietf.org
References: <1f96f6d6-1c9a-0b18-acf2-dc7d0041ee3b@gmail.com> <78898acb-70b4-7e2d-a8ef-c47efde962e6@si6networks.com> <4821e89b-d64c-5e98-b2d7-a72437325045@gmail.com> <8c208ed1-5bcb-85f8-4b13-2465e160e655@gont.com.ar> <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com> <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com> <87acb67f-7751-aeec-f63f-58b47e628df9@gmail.com> <f407f68f-cd3b-b8af-2c80-ff827e865b11@gmail.com> <c7fb2f5b-2224-d83e-1da8-a74967ce829c@gmail.com> <226e81c8-3e71-d573-851e-e5caaa164167@gmail.com> <8ee1a79a-d4ab-3a29-7869-8ab28e7add08@gmail.com> <a62d65e7-e738-3723-03ca-570122ebffd1@gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
In-Reply-To: <a62d65e7-e738-3723-03ca-570122ebffd1@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/PDGB08ZHCKWlX8Wm82rn-c-z28Q>
Subject: Re: [v6ops] Same interface ID under several prefixes - Win11 and VSLAAC?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2022 11:39:25 -0000

Le 13/11/2022 à 07:25, Brian E Carpenter a écrit :
> Yes, I can now confirm that Windows 11 (a new installation, so up to 
> date)
> does indeed use three different stable IIDs for GUA, ULA and LL 
> addresses.

A friend with a very large in-home network points me to a DLink router 
which seems to be able to advertise RAs with a plen that is a 
configurable parameter, according to the config shown in the image below.

So, one can legitimately wonder whether anWin11 IPv6 address that has an 
IID with significant 32bit leftmost bytes (not 64) has received an RA 
with plen 96 (not 64) and has formed an address in a way that might be 
called variable SLAAC (VSLAAC).


Alex

>
> Regards
>    Brian
>
> On 12-Nov-22 03:19, Alexandre Petrescu wrote:
>> for completeness, per the original request of win11 outputs, I checked a
>> win11 machine too, in addition to the 22H2 win10.
>>
>> the win11 IPv4 and IPv6 address formats in the ipconfig output are
>> similar to that of 22H2, there seem to be no difference.
>>
>> Alex
>>
>> Le 10/11/2022 à 21:41, Alexandre Petrescu a écrit :
>>>
>>>
>>> Le 10/11/2022 à 21:02, Brian E Carpenter a écrit :
>>>> On 10-Nov-22 23:13, Alexandre Petrescu wrote:
>>>>>
>>>>>
>>>>> Le 09/11/2022 à 21:59, Brian E Carpenter a écrit :
>>>>>> Looks like some progress in this area on Windows.
>>>>>>
>>>>>> Yesterday I applied the latest Windows 10 update, and noticed 
>>>>>> that my
>>>>>> very old IPv6 status checker was giving me an unexpected result.
>>>>>>
>>>>>> Why? Because as of yesterday, the stable IIDs for my GUA, ULA and LL
>>>>>> addresses are different. Kudos to MS.
>>>>>>
>>>>>> This is Windows 10 Pro, version 21H2, OS Build 19044.2251
>>>>>>
>>>>>> Can somebody check this on Windows 11?
>>>>>
>>>>> I could check something on 22H2 Win10 (not Win 11), but not sure 
>>>>> what to
>>>>> check more precisely, what commands to issue(?)
>>>>
>>>> At the command prompt do:  ipconfig
>>>>
>>>> The output will include something like this (slightly obfuscated):
>>>>
>>>> Ethernet adapter Ethernet 4:
>>>>
>>>>      Connection-specific DNS Suffix  . : fritz.box
>>>>      IPv6 Address. . . . . . . . . . . :
>>>> 2406:e003:xxxx:xxxx:672e:17ef:b374:8c9d
>>>>      IPv6 Address. . . . . . . . . . . :
>>>> fd63:45eb:dc14:0:6a25:e384:a462:54b9
>>>>      Link-local IPv6 Address . . . . . : fe80::8d0f:7f26:e5c8:780b%7
>>>>      IPv4 Address. . . . . . . . . . . : 192.168.178.20
>>>>      Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>>      Default Gateway . . . . . . . . . : fe80::2e3a:fdff:fea6:xxxx%7
>>>>                                          192.168.178.1
>>>>
>>>> You see three different IIDs in my GUA, ULA and LLA addresses. I have
>>>> dsiabled temporary IPv6 addresses, but you might see them too. (And 
>>>> you
>>>> can see to its shame that my FritzBox still uses modified EUI-64.)
>>>
>>> You see below my ipconfig on wifi on a win10 22H2 on a home network
>>> which offers both IPv4 and IPv6.
>>>
>>> Carte réseau sans fil Wi-Fi :
>>>
>>>      Suffixe DNS propre à la connexion. . . :
>>>      Adresse IPv6. . . . . . . . . . . . . .: 
>>> 2a01:e0a:937:bc30::ec18:fe76
>>>      Adresse IPv6 de liaison locale. . . . .: 
>>> fe80::6f44:cfe8:261a:fbaf%3
>>>      Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.5
>>>      Masque de sous-réseau. . . . . . . . . : 255.255.255.0
>>>      Passerelle par défaut. . . . . . . . . : 
>>> fe80::160c:76ff:fe8c:86f3%3
>>>                                          192.168.0.254
>>>
>>> I have not obfuscated anything because I suppose the system generates
>>> new IIDs relatively often.
>>>
>>> Remark the IID in the GUA seems to be 32 signficant bits.
>>>
>>> Alex
>>>
>>>>
>>>>      Brian
>>>>
>>>>
>>>>>
>>>>> I am on an IPv4-only network and there is an IID in the link-local
>>>>> address, and that IID is different than the MAC address.
>>>>>
>>>>> I have not recorded that IID in earlier days, so I cant check whether
>>>>> something changed after windows updates.
>>>>>
>>>>> And, I am not  even sure of the MAC address being something of the
>>>>> actual Ethernet interface, because the USB-Ethernet interface is 
>>>>> Dell,
>>>>> the Ethernet-less computer is HP and the MAC address on Windows 
>>>>> says it
>>>>> is of HP (first 2 bytes checked from the public oui.txt).
>>>>>
>>>>> And, there is something in the BIOS which tries to have a unique MAC
>>>>> address for the Ethernet interface despite connecting various 
>>>>> external
>>>>> USB-Ethernet interfaces with their various MAC addresses.
>>>>>
>>>>> This (MAC address from BIOS) stable identifier is very necessary, 
>>>>> even
>>>>> though it does not appear in IPv6 addresses.
>>>>>
>>>>> This stable id is used for some protection, even though it is 
>>>>> known that
>>>>> it can be faked.
>>>>>
>>>>> IPv6 is still considered to not give enough protection, compared to
>>>>> IPv4.
>>>>>
>>>>> Alex
>>>>>
>>>>>>
>>>>>> Regards
>>>>>>       Brian
>>>>>>
>>>>>> On 23-Jun-22 08:46, Fernando Gont wrote:
>>>>>>> Hi, Brian,
>>>>>>>
>>>>>>> MacOS and OpenBSD also implement RFC7217/RFC8064.
>>>>>>>
>>>>>>> For embedded devices (e.g. printers), they are probably based on 
>>>>>>> older
>>>>>>> versions of the Linux kernel, and probably RFC7217 has not (and 
>>>>>>> will
>>>>>>> not) be back-ported to them -- so it'll take time for these 
>>>>>>> devices to
>>>>>>> adopt RFC7217.
>>>>>>>
>>>>>>> As for Android, there might be a similar issue going on -- but
>>>>>>> certainly
>>>>>>> Lorenzo or Erik will be in a better position to tell.
>>>>>>>
>>>>>>> So my "concern" would probably be just the lack of support in 
>>>>>>> Windows.
>>>>>>>
>>>>>>> P.S.: When it comes to Linux, it's more than just the kernel -- 
>>>>>>> e.g.
>>>>>>> there's an implementation in dhcpcd (that's what you probably 
>>>>>>> see in
>>>>>>> Raspberry Pi), and an implementation in NetworkManager (and there
>>>>>>> might
>>>>>>> be one in systemd-networkd).
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Fernando
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 21/6/22 19:56, Brian E Carpenter wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I've done a little survey on my home network, and I don't find the
>>>>>>>> results
>>>>>>>> very encouraging for RFC7217/RFC8064 deployment. In summary, 
>>>>>>>> there is
>>>>>>>> some usage of pseudorandom IDs, but only Linux deserves a gold 
>>>>>>>> star
>>>>>>>> (the PI is also Linux):
>>>>>>>>
>>>>>>>> Linux 5.4.0   - 3 different IIDs for GUA, ULA, LLA
>>>>>>>> Raspberry PI  - 3 different IIDs for GUA, ULA, LLA
>>>>>>>> Android 7     - same IID for GUA, ULA; different for LLA (EUI64)
>>>>>>>> Android 11    - same IID for GUA, ULA; different for LLA (EUI64)
>>>>>>>> Windows 10*   - same IID for GUA, ULA, LLA
>>>>>>>> FritzBox 7530 - same IID for GUA, ULA, LLA (EUI64)
>>>>>>>> Samsung TV s6 - same IID for GUA, LLA (EUI64, but also temporary
>>>>>>>> IID for
>>>>>>>> GUA & ULA)
>>>>>>>> Chromecast 2  - LLA only (EUI64)
>>>>>>>> Canon TS5100  - LLA only (EUI64)
>>>>>>>>
>>>>>>>> * with temporary addresses switched off
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>        Brian Carpenter
>>>>>>>>
>>>>>>>> On 18-Jun-22 10:20, Fernando Gont wrote:
>>>>>>>>> On 17/6/22 17:51, Brian E Carpenter wrote:
>>>>>>>>> [...]
>>>>>>>>>>>
>>>>>>>>>>> I assume they don't claim to implement RFC7217. -- If they did,
>>>>>>>>>>> then
>>>>>>>>>>> yes, it would be fair to call that a bug. :-)
>>>>>>>>>>
>>>>>>>>>> Right, it would be fairer to call it a potential privacy
>>>>>>>>>> vulnerability
>>>>>>>>>> (discover one address, get another one free of charge).
>>>>>>>>>
>>>>>>>>> Indeed, their mechanism allows for host-tracking: i.e., once you
>>>>>>>>> know
>>>>>>>>> the token, you can predict what's the address that that node 
>>>>>>>>> would
>>>>>>>>> configured if it connected to a given network.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I don't regard
>>>>>>>>>> it as a very serious problem that an outsider can learn my 
>>>>>>>>>> ULA or
>>>>>>>>>> LLA.
>>>>>>>>>
>>>>>>>>> The biggest problem is that once the attacker learns your token,
>>>>>>>>> e.g.,
>>>>>>>>> he can test whether you're connected to e.g. the IETF conference
>>>>>>>>> network
>>>>>>>>> by e.g. pinging PREFIX::your_token.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Kudos to MS, anyway, for having moved to pseudo-random IIDs very
>>>>>>>>>> early,
>>>>>>>>>> before RFC7217 in fact.
>>>>>>>>>
>>>>>>>>> Yes, that was the point I was trying to make!
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> v6ops mailing list
>>>>>>>> v6ops@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>>>>
>>>>>> _______________________________________________
>>>>>> v6ops mailing list
>>>>>> v6ops@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>>
>>>>> _______________________________________________
>>>>> v6ops mailing list
>>>>> v6ops@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email