Re: [v6ops] Same interface ID under several prefixes
Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 09 November 2022 20:59 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A087C14CE47 for <v6ops@ietfa.amsl.com>; Wed, 9 Nov 2022 12:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qh3-1mBgS7O for <v6ops@ietfa.amsl.com>; Wed, 9 Nov 2022 12:59:15 -0800 (PST)
Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CEC3C14CF03 for <v6ops@ietf.org>; Wed, 9 Nov 2022 12:59:15 -0800 (PST)
Received: by mail-pf1-x434.google.com with SMTP id k22so17829406pfd.3 for <v6ops@ietf.org>; Wed, 09 Nov 2022 12:59:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=5uVARZoIz3BQrLyLLMymVjaebLr/nE+J4QiDNxtoqkM=; b=gadiLwtZURsPyV2QjxQjXYXuK384gA7qiCLsIJI2t1OYeXLGp0VtQKHvHJ598/bgkm mtwjNXOMdGcL8kzMfUT9GupgHPhd0XLZv+Dbvg/wut5zVPMzgZQQ2VypCFdP0W6Dprg/ 48+OoGDvswWDsCRoQqyAELpSAzKZmoN0CR0iBfaSkV2KSEowcNxib42hShlJPeCBOv91 c+lapckaqn+M27D4QygCM4pKnHvu7y76UVjJW6kACD2PbinEo6A5oWQu6CdrL8BmaZLD e1Zp1G3dJnAgiqredKqiiNwf3egDsKIAtp4cgqoZVXnLyPR40MKWzLXROk5dhN5ejrpP MSHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5uVARZoIz3BQrLyLLMymVjaebLr/nE+J4QiDNxtoqkM=; b=iC6xLjgCH+/OFmw81t2z8XrcdW44QlmCJXlO2U5yce+w+ZUWIznjfgGGdNsQQZJr7l 1DW900UtjbGgDI/+l6CQ0lLofhkjOuWPI7/S0tCmUWHloHW/P0fovCWrwHff0Uih6c6C ELYOmULMkfWBRwXMLCYtPllok7WZqovaengFWxClQR+bWXrraUiqxjb0as01GXkKVEaX W6xXo0quOj1Euhldes5D5HOm7lm+7gTfibbHrtqenuwjDGwkLevVt51GjzKbPymWhCeb FO582YxX8FtcStUJjizr0Q09SIL50NbjGtcUfEyBd6FyXowLbKS3OSH+ZSJ/MQkxyn4S a8Ig==
X-Gm-Message-State: ACrzQf34132RF+AZuQhIgeseNd3xyRLPrc462XCgWO48KcLtvKag9Ppd zR6utMgBdp01o8/J8QHHVFaPs9mYlxQ3qA==
X-Google-Smtp-Source: AMsMyM55YIE0YI2nZ4m6upRakMOaS5sUG+ac979HKnu2jll2Vfvtl13yBOSiTQNxsseyMMWUcmS2uA==
X-Received: by 2002:a05:6a00:21cc:b0:56c:ba99:795d with SMTP id t12-20020a056a0021cc00b0056cba99795dmr62585264pfj.84.1668027554696; Wed, 09 Nov 2022 12:59:14 -0800 (PST)
Received: from ?IPV6:2406:e003:1124:9301:672e:17ee:b374:8a9b? ([2406:e003:1124:9301:672e:17ee:b374:8a9b]) by smtp.gmail.com with ESMTPSA id a17-20020aa794b1000000b0056eaa577eb0sm8694347pfl.215.2022.11.09.12.59.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Nov 2022 12:59:13 -0800 (PST)
Message-ID: <87acb67f-7751-aeec-f63f-58b47e628df9@gmail.com>
Date: Thu, 10 Nov 2022 09:59:07 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Fernando Gont <fgont@si6networks.com>, Fernando Gont <fernando@gont.com.ar>, IPv6 Operations <v6ops@ietf.org>
References: <1f96f6d6-1c9a-0b18-acf2-dc7d0041ee3b@gmail.com> <78898acb-70b4-7e2d-a8ef-c47efde962e6@si6networks.com> <4821e89b-d64c-5e98-b2d7-a72437325045@gmail.com> <8c208ed1-5bcb-85f8-4b13-2465e160e655@gont.com.ar> <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com> <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/_lmqZoBPoZppjNbp3JjAgFezQ8o>
Subject: Re: [v6ops] Same interface ID under several prefixes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2022 20:59:19 -0000
Looks like some progress in this area on Windows.
Yesterday I applied the latest Windows 10 update, and noticed that my very old IPv6 status checker was giving me an unexpected result.
Why? Because as of yesterday, the stable IIDs for my GUA, ULA and LL addresses are different. Kudos to MS.
This is Windows 10 Pro, version 21H2, OS Build 19044.2251
Can somebody check this on Windows 11?
Regards
Brian
On 23-Jun-22 08:46, Fernando Gont wrote:
> Hi, Brian,
>
> MacOS and OpenBSD also implement RFC7217/RFC8064.
>
> For embedded devices (e.g. printers), they are probably based on older
> versions of the Linux kernel, and probably RFC7217 has not (and will
> not) be back-ported to them -- so it'll take time for these devices to
> adopt RFC7217.
>
> As for Android, there might be a similar issue going on -- but certainly
> Lorenzo or Erik will be in a better position to tell.
>
> So my "concern" would probably be just the lack of support in Windows.
>
> P.S.: When it comes to Linux, it's more than just the kernel -- e.g.
> there's an implementation in dhcpcd (that's what you probably see in
> Raspberry Pi), and an implementation in NetworkManager (and there might
> be one in systemd-networkd).
>
> Thanks,
> Fernando
>
>
>
>
> On 21/6/22 19:56, Brian E Carpenter wrote:
>> Hi,
>>
>> I've done a little survey on my home network, and I don't find the results
>> very encouraging for RFC7217/RFC8064 deployment. In summary, there is
>> some usage of pseudorandom IDs, but only Linux deserves a gold star
>> (the PI is also Linux):
>>
>> Linux 5.4.0 - 3 different IIDs for GUA, ULA, LLA
>> Raspberry PI - 3 different IIDs for GUA, ULA, LLA
>> Android 7 - same IID for GUA, ULA; different for LLA (EUI64)
>> Android 11 - same IID for GUA, ULA; different for LLA (EUI64)
>> Windows 10* - same IID for GUA, ULA, LLA
>> FritzBox 7530 - same IID for GUA, ULA, LLA (EUI64)
>> Samsung TV s6 - same IID for GUA, LLA (EUI64, but also temporary IID for
>> GUA & ULA)
>> Chromecast 2 - LLA only (EUI64)
>> Canon TS5100 - LLA only (EUI64)
>>
>> * with temporary addresses switched off
>>
>> Regards
>> Brian Carpenter
>>
>> On 18-Jun-22 10:20, Fernando Gont wrote:
>>> On 17/6/22 17:51, Brian E Carpenter wrote:
>>> [...]
>>>>>
>>>>> I assume they don't claim to implement RFC7217. -- If they did, then
>>>>> yes, it would be fair to call that a bug. :-)
>>>>
>>>> Right, it would be fairer to call it a potential privacy vulnerability
>>>> (discover one address, get another one free of charge).
>>>
>>> Indeed, their mechanism allows for host-tracking: i.e., once you know
>>> the token, you can predict what's the address that that node would
>>> configured if it connected to a given network.
>>>
>>>
>>>> I don't regard
>>>> it as a very serious problem that an outsider can learn my ULA or
>>>> LLA.
>>>
>>> The biggest problem is that once the attacker learns your token, e.g.,
>>> he can test whether you're connected to e.g. the IETF conference network
>>> by e.g. pinging PREFIX::your_token.
>>>
>>>
>>>
>>>> Kudos to MS, anyway, for having moved to pseudo-random IIDs very early,
>>>> before RFC7217 in fact.
>>>
>>> Yes, that was the point I was trying to make!
>>>
>>> Thanks,
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>
- [v6ops] Same interface ID under several prefixes Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Mark Smith
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Mark Smith
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… tom petch
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont