IETF Logo Mail Archive

Re: [v6ops] Same interface ID under several prefixes

Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 11 November 2022 14:20 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48363C14CF00 for <v6ops@ietfa.amsl.com>; Fri, 11 Nov 2022 06:20:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.66
X-Spam-Level:
X-Spam-Status: No, score=0.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WCxMlCLzR2r for <v6ops@ietfa.amsl.com>; Fri, 11 Nov 2022 06:20:00 -0800 (PST)
Received: from smtp5-g21.free.fr (smtp5-g21.free.fr [212.27.42.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8455EC14F744 for <v6ops@ietf.org>; Fri, 11 Nov 2022 06:20:00 -0800 (PST)
Received: from [IPV6:2a01:e0a:937:bc30::ec18:fe76] (unknown [IPv6:2a01:e0a:937:bc30::ec18:fe76]) by smtp5-g21.free.fr (Postfix) with ESMTP id 0B4F15FFA0 for <v6ops@ietf.org>; Fri, 11 Nov 2022 15:19:57 +0100 (CET)
Message-ID: <8ee1a79a-d4ab-3a29-7869-8ab28e7add08@gmail.com>
Date: Fri, 11 Nov 2022 15:19:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: fr
To: v6ops@ietf.org
References: <1f96f6d6-1c9a-0b18-acf2-dc7d0041ee3b@gmail.com> <78898acb-70b4-7e2d-a8ef-c47efde962e6@si6networks.com> <4821e89b-d64c-5e98-b2d7-a72437325045@gmail.com> <8c208ed1-5bcb-85f8-4b13-2465e160e655@gont.com.ar> <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com> <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com> <87acb67f-7751-aeec-f63f-58b47e628df9@gmail.com> <f407f68f-cd3b-b8af-2c80-ff827e865b11@gmail.com> <c7fb2f5b-2224-d83e-1da8-a74967ce829c@gmail.com> <226e81c8-3e71-d573-851e-e5caaa164167@gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
In-Reply-To: <226e81c8-3e71-d573-851e-e5caaa164167@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/QGYrniGT182EC9MPXcd488DYEJA>
Subject: Re: [v6ops] Same interface ID under several prefixes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2022 14:20:04 -0000

for completeness, per the original request of win11 outputs, I checked a 
win11 machine too, in addition to the 22H2 win10.

the win11 IPv4 and IPv6 address formats in the ipconfig output are 
similar to that of 22H2, there seem to be no difference.

Alex

Le 10/11/2022 à 21:41, Alexandre Petrescu a écrit :
> 
> 
> Le 10/11/2022 à 21:02, Brian E Carpenter a écrit :
>> On 10-Nov-22 23:13, Alexandre Petrescu wrote:
>>>
>>>
>>> Le 09/11/2022 à 21:59, Brian E Carpenter a écrit :
>>>> Looks like some progress in this area on Windows.
>>>>
>>>> Yesterday I applied the latest Windows 10 update, and noticed that my
>>>> very old IPv6 status checker was giving me an unexpected result.
>>>>
>>>> Why? Because as of yesterday, the stable IIDs for my GUA, ULA and LL
>>>> addresses are different. Kudos to MS.
>>>>
>>>> This is Windows 10 Pro, version 21H2, OS Build 19044.2251
>>>>
>>>> Can somebody check this on Windows 11?
>>>
>>> I could check something on 22H2 Win10 (not Win 11), but not sure what to
>>> check more precisely, what commands to issue(?)
>>
>> At the command prompt do:  ipconfig
>>
>> The output will include something like this (slightly obfuscated):
>>
>> Ethernet adapter Ethernet 4:
>>
>>     Connection-specific DNS Suffix  . : fritz.box
>>     IPv6 Address. . . . . . . . . . . : 
>> 2406:e003:xxxx:xxxx:672e:17ef:b374:8c9d
>>     IPv6 Address. . . . . . . . . . . : 
>> fd63:45eb:dc14:0:6a25:e384:a462:54b9
>>     Link-local IPv6 Address . . . . . : fe80::8d0f:7f26:e5c8:780b%7
>>     IPv4 Address. . . . . . . . . . . : 192.168.178.20
>>     Subnet Mask . . . . . . . . . . . : 255.255.255.0
>>     Default Gateway . . . . . . . . . : fe80::2e3a:fdff:fea6:xxxx%7
>>                                         192.168.178.1
>>
>> You see three different IIDs in my GUA, ULA and LLA addresses. I have
>> dsiabled temporary IPv6 addresses, but you might see them too. (And you
>> can see to its shame that my FritzBox still uses modified EUI-64.)
> 
> You see below my ipconfig on wifi on a win10 22H2 on a home network 
> which offers both IPv4 and IPv6.
> 
> Carte réseau sans fil Wi-Fi :
> 
>     Suffixe DNS propre à la connexion. . . :
>     Adresse IPv6. . . . . . . . . . . . . .: 2a01:e0a:937:bc30::ec18:fe76
>     Adresse IPv6 de liaison locale. . . . .: fe80::6f44:cfe8:261a:fbaf%3
>     Adresse IPv4. . . . . . . . . . . . . .: 192.168.0.5
>     Masque de sous-réseau. . . . . . . . . : 255.255.255.0
>     Passerelle par défaut. . . . . . . . . : fe80::160c:76ff:fe8c:86f3%3
>                                         192.168.0.254
> 
> I have not obfuscated anything because I suppose the system generates 
> new IIDs relatively often.
> 
> Remark the IID in the GUA seems to be 32 signficant bits.
> 
> Alex
> 
>>
>>     Brian
>>
>>
>>>
>>> I am on an IPv4-only network and there is an IID in the link-local
>>> address, and that IID is different than the MAC address.
>>>
>>> I have not recorded that IID in earlier days, so I cant check whether
>>> something changed after windows updates.
>>>
>>> And, I am not  even sure of the MAC address being something of the
>>> actual Ethernet interface, because the USB-Ethernet interface is Dell,
>>> the Ethernet-less computer is HP and the MAC address on Windows says it
>>> is of HP (first 2 bytes checked from the public oui.txt).
>>>
>>> And, there is something in the BIOS which tries to have a unique MAC
>>> address for the Ethernet interface despite connecting various external
>>> USB-Ethernet interfaces with their various MAC addresses.
>>>
>>> This (MAC address from BIOS) stable identifier is very necessary, even
>>> though it does not appear in IPv6 addresses.
>>>
>>> This stable id is used for some protection, even though it is known that
>>> it can be faked.
>>>
>>> IPv6 is still considered to not give enough protection, compared to 
>>> IPv4.
>>>
>>> Alex
>>>
>>>>
>>>> Regards
>>>>      Brian
>>>>
>>>> On 23-Jun-22 08:46, Fernando Gont wrote:
>>>>> Hi, Brian,
>>>>>
>>>>> MacOS and OpenBSD also implement RFC7217/RFC8064.
>>>>>
>>>>> For embedded devices (e.g. printers), they are probably based on older
>>>>> versions of the Linux kernel, and probably RFC7217 has not (and will
>>>>> not) be back-ported to them -- so it'll take time for these devices to
>>>>> adopt RFC7217.
>>>>>
>>>>> As for Android, there might be a similar issue going on -- but 
>>>>> certainly
>>>>> Lorenzo or Erik will be in a better position to tell.
>>>>>
>>>>> So my "concern" would probably be just the lack of support in Windows.
>>>>>
>>>>> P.S.: When it comes to Linux, it's more than just the kernel -- e.g.
>>>>> there's an implementation in dhcpcd (that's what you probably see in
>>>>> Raspberry Pi), and an implementation in NetworkManager (and there 
>>>>> might
>>>>> be one in systemd-networkd).
>>>>>
>>>>> Thanks,
>>>>> Fernando
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 21/6/22 19:56, Brian E Carpenter wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've done a little survey on my home network, and I don't find the
>>>>>> results
>>>>>> very encouraging for RFC7217/RFC8064 deployment. In summary, there is
>>>>>> some usage of pseudorandom IDs, but only Linux deserves a gold star
>>>>>> (the PI is also Linux):
>>>>>>
>>>>>> Linux 5.4.0   - 3 different IIDs for GUA, ULA, LLA
>>>>>> Raspberry PI  - 3 different IIDs for GUA, ULA, LLA
>>>>>> Android 7     - same IID for GUA, ULA; different for LLA (EUI64)
>>>>>> Android 11    - same IID for GUA, ULA; different for LLA (EUI64)
>>>>>> Windows 10*   - same IID for GUA, ULA, LLA
>>>>>> FritzBox 7530 - same IID for GUA, ULA, LLA (EUI64)
>>>>>> Samsung TV s6 - same IID for GUA, LLA (EUI64, but also temporary 
>>>>>> IID for
>>>>>> GUA & ULA)
>>>>>> Chromecast 2  - LLA only (EUI64)
>>>>>> Canon TS5100  - LLA only (EUI64)
>>>>>>
>>>>>> * with temporary addresses switched off
>>>>>>
>>>>>> Regards
>>>>>>       Brian Carpenter
>>>>>>
>>>>>> On 18-Jun-22 10:20, Fernando Gont wrote:
>>>>>>> On 17/6/22 17:51, Brian E Carpenter wrote:
>>>>>>> [...]
>>>>>>>>>
>>>>>>>>> I assume they don't claim to implement RFC7217. -- If they did, 
>>>>>>>>> then
>>>>>>>>> yes, it would be fair to call that a bug. :-)
>>>>>>>>
>>>>>>>> Right, it would be fairer to call it a potential privacy 
>>>>>>>> vulnerability
>>>>>>>> (discover one address, get another one free of charge).
>>>>>>>
>>>>>>> Indeed, their mechanism allows for host-tracking: i.e., once you 
>>>>>>> know
>>>>>>> the token, you can predict what's the address that that node would
>>>>>>> configured if it connected to a given network.
>>>>>>>
>>>>>>>
>>>>>>>> I don't regard
>>>>>>>> it as a very serious problem that an outsider can learn my ULA or
>>>>>>>> LLA.
>>>>>>>
>>>>>>> The biggest problem is that once the attacker learns your token, 
>>>>>>> e.g.,
>>>>>>> he can test whether you're connected to e.g. the IETF conference
>>>>>>> network
>>>>>>> by e.g. pinging PREFIX::your_token.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Kudos to MS, anyway, for having moved to pseudo-random IIDs very
>>>>>>>> early,
>>>>>>>> before RFC7217 in fact.
>>>>>>>
>>>>>>> Yes, that was the point I was trying to make!
>>>>>>>
>>>>>>> Thanks,
>>>>>>
>>>>>> _______________________________________________
>>>>>> v6ops mailing list
>>>>>> v6ops@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>>>
>>>> _______________________________________________
>>>> v6ops mailing list
>>>> v6ops@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/v6ops
>>>
>>> _______________________________________________
>>> v6ops mailing list
>>> v6ops@ietf.org
>>> https://www.ietf.org/mailman/listinfo/v6ops
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email