IETF Logo Mail Archive

Re: [v6ops] Same interface ID under several prefixes

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 13 November 2022 06:25 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6BD8C14CF0A for <v6ops@ietfa.amsl.com>; Sat, 12 Nov 2022 22:25:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N3cYaFEuHczc for <v6ops@ietfa.amsl.com>; Sat, 12 Nov 2022 22:25:08 -0800 (PST)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD279C14CF06 for <v6ops@ietf.org>; Sat, 12 Nov 2022 22:25:08 -0800 (PST)
Received: by mail-pl1-x632.google.com with SMTP id j12so7485484plj.5 for <v6ops@ietf.org>; Sat, 12 Nov 2022 22:25:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=f+rHzBdwZVHAnZ/5vq/nJS+zp/KZIgcBGP+fOPtJojA=; b=owscDLrbn4PWFXhYvVjzZO1wXD5JEwkHrT9UCx7e679CFgSGZfQtiqh9weqpi0r0rf axSnduxcAhHXkAn3rYFpemJ4w6RsmGRki5YOXRc1WwsuzR1OHmgAGHJGudRh+aLBIbF3 +K1FVhRdxtedh9fxa9o+9P8BaMF9O7/hG1OyhAD7BxmrhrbnMAeGZSwZiD9bEdXvzAXm 1FwgfM+MSWwLMyFibM3eaC1qvS9lsduqQTkLLZeJta+UqBxjTvzifS6I9EFYHWgPuc6m oIP3h/RUqkgC3i8DYF1we6OV0JMSLbnVKdZ+/oZ3YC4+TDgqvqL7Xd4bZm0NPsrRSTs1 u+Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=f+rHzBdwZVHAnZ/5vq/nJS+zp/KZIgcBGP+fOPtJojA=; b=0L9V7p+94a5f5IjDKTJLeh/GGuvEyWGR3Z1NBbKV/Ku5w4e8Fqm6oJPphVrgAzd4XS TJKzqx5qQI5VnWasmdNR7am8lOsnySHb5Gs5tKGYEjE6Dqcp3jdvfkWW64/vcTLfA9ah OEJZPiiiZGo5FIRydTLyiKqCbMG9WjhHHpRliFntifXGJnt5YJi/mfiHsBx9Q35MDJAO jKS6h4onMmdDBa4zwlTdegYW8r98kC3kT/98SR3XSKH3xjvtAuoWZQSg8zRIEijYO9jE 9Eqn1BWtEPaSaX/0/uA/fEtAvE0dAOZIwXZnBdM3qYKFWO44uC0qWkeQ2Y6bPLUp1omS gV0g==
X-Gm-Message-State: ANoB5pnLc1bKc5khua7Ut9Jrijf7NchKly7t9Uv2WR/ZJfmquA2ejoXW HUoLTNuIEZawwl+sepCbCHA=
X-Google-Smtp-Source: AA0mqf4JXG6SAnCkhh37iyIMyPqusktpN608ZHQkXg8UIKUDL1RDl1X9S6nttAkLqL3TtGyLB6GixQ==
X-Received: by 2002:a17:90a:d193:b0:212:d6b8:ba4b with SMTP id fu19-20020a17090ad19300b00212d6b8ba4bmr8662067pjb.28.1668320707600; Sat, 12 Nov 2022 22:25:07 -0800 (PST)
Received: from ?IPV6:2406:e003:1124:9301:672e:17ee:b374:8a9b? ([2406:e003:1124:9301:672e:17ee:b374:8a9b]) by smtp.gmail.com with ESMTPSA id j5-20020a170903024500b001867fb4056asm4628008plh.32.2022.11.12.22.25.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 12 Nov 2022 22:25:06 -0800 (PST)
Message-ID: <a62d65e7-e738-3723-03ca-570122ebffd1@gmail.com>
Date: Sun, 13 Nov 2022 19:25:01 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Alexandre Petrescu <alexandre.petrescu@gmail.com>, v6ops@ietf.org
References: <1f96f6d6-1c9a-0b18-acf2-dc7d0041ee3b@gmail.com> <78898acb-70b4-7e2d-a8ef-c47efde962e6@si6networks.com> <4821e89b-d64c-5e98-b2d7-a72437325045@gmail.com> <8c208ed1-5bcb-85f8-4b13-2465e160e655@gont.com.ar> <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com> <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com> <87acb67f-7751-aeec-f63f-58b47e628df9@gmail.com> <f407f68f-cd3b-b8af-2c80-ff827e865b11@gmail.com> <c7fb2f5b-2224-d83e-1da8-a74967ce829c@gmail.com> <226e81c8-3e71-d573-851e-e5caaa164167@gmail.com> <8ee1a79a-d4ab-3a29-7869-8ab28e7add08@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <8ee1a79a-d4ab-3a29-7869-8ab28e7add08@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/PQcGEUWuD0L4lBvv7y-xaX4E3-E>
Subject: Re: [v6ops] Same interface ID under several prefixes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2022 06:25:13 -0000

Yes, I can now confirm that Windows 11 (a new installation, so up to date)
does indeed use three different stable IIDs for GUA, ULA and LL addresses.

Regards
    Brian

On 12-Nov-22 03:19, Alexandre Petrescu wrote:
> for completeness, per the original request of win11 outputs, I checked a
> win11 machine too, in addition to the 22H2 win10.
> 
> the win11 IPv4 and IPv6 address formats in the ipconfig output are
> similar to that of 22H2, there seem to be no difference.
> 
> Alex
> 
> Le 10/11/2022 à 21:41, Alexandre Petrescu a écrit :
>>
>>
>> Le 10/11/2022 à 21:02, Brian E Carpenter a écrit :
>>> On 10-Nov-22 23:13, Alexandre Petrescu wrote:
>>>>
>>>>
>>>> Le 09/11/2022 à 21:59, Brian E Carpenter a écrit :
>>>>> Looks like some progress in this area on Windows.
>>>>>
>>>>> Yesterday I applied the latest Windows 10 update, and noticed that my
>>>>> very old IPv6 status checker was giving me an unexpected result.
>>>>>
>>>>> Why? Because as of yesterday, the stable IIDs for my GUA, ULA and LL
>>>>> addresses are different. Kudos to MS.
>>>>>
>>>>> This is Windows 10 Pro, version 21H2, OS Build 19044.2251
>>>>>
>>>>> Can somebody check this on Windows 11?
>>>>
>>>> I could check something on 22H2 Win10 (not Win 11), but not sure what to
>>>> check more precisely, what commands to issue(?)
>>>
>>> At the command prompt do:  ipconfig
>>>
>>> The output will include something like this (slightly obfuscated):
>>>
>>> Ethernet adapter Ethernet 4:
>>>
>>>      Connection-specific DNS Suffix  . : fritz.box
>>>      IPv6 Address. . . . . . . . . . . :
>>> 2406:e003:xxxx:xxxx:672e:17ef:b374:8c9d
>>>      IPv6 Address. . . . . . . . . . . :
>>> fd63:45eb:dc14:0:6a25:e384:a462:54b9
>>>      Link-local IPv6 Address . . . . . : fe80::8d0f:7f26:e5c8:780b%7
>>>      IPv4 Address. . . . . . . . . . . : 192.168.178.20
>>>      Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>>      Default Gateway . . . . . . . . . : fe80::2e3a:fdff:fea6:xxxx%7
>>>                                          192.168.178.1
>>>
>>> You see three different IIDs in my GUA, ULA and LLA addresses. I have
>>> dsiabled temporary IPv6 addresses, but you might see them too. (And you
>>> can see to its shame that my FritzBox still uses modified EUI-64.)
>>
>> You see below my ipconfig on wifi on a win10 22H2 on a home network
>> which offers both IPv4 and IPv6.
>>
>> Carte réseau sans fil Wi-Fi :
>>
>>      Suffixe DNS propre à la connexion. . . :
>>      Adresse IPv6. . . . . . . . . . . . . .: 2a01:e0a:937:bc30::ec18:fe76
>>      Adresse IPv6 de liaison locale. . . . .: fe80::6f44:cfe8:261a:fbaf%3
>>      Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.5
>>      Masque de sous-réseau. . . . . . . . . : 255.255.255.0
>>      Passerelle par défaut. . . . . . . . . : fe80::160c:76ff:fe8c:86f3%3
>>                                          192.168.0.254
>>
>> I have not obfuscated anything because I suppose the system generates
>> new IIDs relatively often.
>>
>> Remark the IID in the GUA seems to be 32 signficant bits.
>>
>> Alex
>>
>>>
>>>      Brian
>>>
>>>
>>>>
>>>> I am on an IPv4-only network and there is an IID in the link-local
>>>> address, and that IID is different than the MAC address.
>>>>
>>>> I have not recorded that IID in earlier days, so I cant check whether
>>>> something changed after windows updates.
>>>>
>>>> And, I am not  even sure of the MAC address being something of the
>>>> actual Ethernet interface, because the USB-Ethernet interface is Dell,
>>>> the Ethernet-less computer is HP and the MAC address on Windows says it
>>>> is of HP (first 2 bytes checked from the public oui.txt).
>>>>
>>>> And, there is something in the BIOS which tries to have a unique MAC
>>>> address for the Ethernet interface despite connecting various external
>>>> USB-Ethernet interfaces with their various MAC addresses.
>>>>
>>>> This (MAC address from BIOS) stable identifier is very necessary, even
>>>> though it does not appear in IPv6 addresses.
>>>>
>>>> This stable id is used for some protection, even though it is known that
>>>> it can be faked.
>>>>
>>>> IPv6 is still considered to not give enough protection, compared to
>>>> IPv4.
>>>>
>>>> Alex
>>>>
>>>>>
>>>>> Regards
>>>>>       Brian
>>>>>
>>>>> On 23-Jun-22 08:46, Fernando Gont wrote:
>>>>>> Hi, Brian,
>>>>>>
>>>>>> MacOS and OpenBSD also implement RFC7217/RFC8064.
>>>>>>
>>>>>> For embedded devices (e.g. printers), they are probably based on older
>>>>>> versions of the Linux kernel, and probably RFC7217 has not (and will
>>>>>> not) be back-ported to them -- so it'll take time for these devices to
>>>>>> adopt RFC7217.
>>>>>>
>>>>>> As for Android, there might be a similar issue going on -- but
>>>>>> certainly
>>>>>> Lorenzo or Erik will be in a better position to tell.
>>>>>>
>>>>>> So my "concern" would probably be just the lack of support in Windows.
>>>>>>
>>>>>> P.S.: When it comes to Linux, it's more than just the kernel -- e.g.
>>>>>> there's an implementation in dhcpcd (that's what you probably see in
>>>>>> Raspberry Pi), and an implementation in NetworkManager (and there
>>>>>> might
>>>>>> be one in systemd-networkd).
>>>>>>
>>>>>> Thanks,
>>>>>> Fernando
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 21/6/22 19:56, Brian E Carpenter wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've done a little survey on my home network, and I don't find the
>>>>>>> results
>>>>>>> very encouraging for RFC7217/RFC8064 deployment. In summary, there is
>>>>>>> some usage of pseudorandom IDs, but only Linux deserves a gold star
>>>>>>> (the PI is also Linux):
>>>>>>>
>>>>>>> Linux 5.4.0   - 3 different IIDs for GUA, ULA, LLA
>>>>>>> Raspberry PI  - 3 different IIDs for GUA, ULA, LLA
>>>>>>> Android 7     - same IID for GUA, ULA; different for LLA (EUI64)
>>>>>>> Android 11    - same IID for GUA, ULA; different for LLA (EUI64)
>>>>>>> Windows 10*   - same IID for GUA, ULA, LLA
>>>>>>> FritzBox 7530 - same IID for GUA, ULA, LLA (EUI64)
>>>>>>> Samsung TV s6 - same IID for GUA, LLA (EUI64, but also temporary
>>>>>>> IID for
>>>>>>> GUA & ULA)
>>>>>>> Chromecast 2  - LLA only (EUI64)
>>>>>>> Canon TS5100  - LLA only (EUI64)
>>>>>>>
>>>>>>> * with temporary addresses switched off
>>>>>>>
>>>>>>> Regards
>>>>>>>        Brian Carpenter
>>>>>>>
>>>>>>> On 18-Jun-22 10:20, Fernando Gont wrote:
>>>>>>>> On 17/6/22 17:51, Brian E Carpenter wrote:
>>>>>>>> [...]
>>>>>>>>>>
>>>>>>>>>> I assume they don't claim to implement RFC7217. -- If they did,
>>>>>>>>>> then
>>>>>>>>>> yes, it would be fair to call that a bug. :-)
>>>>>>>>>
>>>>>>>>> Right, it would be fairer to call it a potential privacy
>>>>>>>>> vulnerability
>>>>>>>>> (discover one address, get another one free of charge).
>>>>>>>>
>>>>>>>> Indeed, their mechanism allows for host-tracking: i.e., once you
>>>>>>>> know
>>>>>>>> the token, you can predict what's the address that that node would
>>>>>>>> configured if it connected to a given network.
>>>>>>>>
>>>>>>>>
>>>>>>>>> I don't regard
>>>>>>>>> it as a very serious problem that an outsider can learn my ULA or
>>>>>>>>> LLA.
>>>>>>>>
>>>>>>>> The biggest problem is that once the attacker learns your token,
>>>>>>>> e.g.,
>>>>>>>> he can test whether you're connected to e.g. the IETF conference
>>>>>>>> network
>>>>>>>> by e.g. pinging PREFIX::your_token.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Kudos to MS, anyway, for having moved to pseudo-random IIDs very
>>>>>>>>> early,
>>>>>>>>> before RFC7217 in fact.
>>>>>>>>
>>>>>>>> Yes, that was the point I was trying to make!
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> v6ops mailing list
>>>>>>> v6ops@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>>>
>>>>> _______________________________________________
>>>>> v6ops mailing list
>>>>> v6ops@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email