[v6ops] IPv6 new access from Windows to Google: display of a critical security alert

Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 31 October 2019 10:26 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3C2BB1200F1 for <v6ops@ietfa.amsl.com>; Thu, 31 Oct 2019 03:26:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.387
X-Spam-Level: **
X-Spam-Status: No, score=2.387 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, SPOOFED_FREEMAIL=1.999] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id UpGA2FjssuvY for <v6ops@ietfa.amsl.com>; Thu, 31 Oct 2019 03:26:00 -0700 (PDT)
Received: from sainfoin-smtp-out.extra.cea.fr (sainfoin-smtp-out.extra.cea.fr []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A1C1200F6 for <v6ops@ietf.org>; Thu, 31 Oct 2019 03:25:59 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr []) by sainfoin-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x9VAPvLC015111 for <v6ops@ietf.org>; Thu, 31 Oct 2019 11:25:57 +0100
Received: from pisaure.intra.cea.fr (localhost []) by localhost (Postfix) with SMTP id C8461203BA4 for <v6ops@ietf.org>; Thu, 31 Oct 2019 11:25:57 +0100 (CET)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr []) by pisaure.intra.cea.fr (Postfix) with ESMTP id B7359203BA2 for <v6ops@ietf.org>; Thu, 31 Oct 2019 11:25:57 +0100 (CET)
Received: from [] ([]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x9VAPoU7016147 for <v6ops@ietf.org>; Thu, 31 Oct 2019 11:25:51 +0100
To: "v6ops@ietf.org" <v6ops@ietf.org>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <d15dc3e9-2cd5-fb74-e664-2d91b5c4e3ef@gmail.com>
Date: Thu, 31 Oct 2019 11:25:50 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------21FA509471B2502024ED670C"
Content-Language: fr
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/TIFJKTu6LDhUDur-leXzYkq2HoM>
Subject: [v6ops] IPv6 new access from Windows to Google: display of a critical security alert
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 10:26:02 -0000

Google alerted me a few days ago during my DHCPv6 experiments, when I 
browsed it with a Windows computer using IPv6 first time, although many 
times previously with IPv4.

Incidentally, the address my Windows used was an address delivered by 
DHCPv6. Being DHCPv6 is visible in its format: in the hextet 
representation, the '::' appears before the last two hextets 
(X::b4cc:8eb9) as opposed to a SLAAC address where the double colon 
appears quasi always before the last _four_ hextets.

I am trying to understand why Google complained wiht such a critical 
security alert.

- is it because the address was a DHCP address rather than SLAAC?

- it is because I connect from an address they have never seen before?

- is it because it is the first time I connect to them by IPv6 on this 

- is it because when I connect  with IPv6 to them I keep changing the 
IPv6 address (as opposed to IPv4 is always the same because behind NAT)?

The messages they displayed are not helpful to understand what's 
happening, because they talk about 'application security', 'wrong 
device', etc.  Neither is the case: I have a running anti-virus so my 
apps are healthy and the device is always the same Windows device I use 
to connect to Google.