Re: [v6ops] Same interface ID under several prefixes
Alexandre Petrescu <alexandre.petrescu@gmail.com> Thu, 10 November 2022 10:14 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA5F1C14F720 for <v6ops@ietfa.amsl.com>; Thu, 10 Nov 2022 02:14:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.661
X-Spam-Level:
X-Spam-Status: No, score=0.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iO05C8VyDwJI for <v6ops@ietfa.amsl.com>; Thu, 10 Nov 2022 02:14:02 -0800 (PST)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr [132.168.224.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F64C14F73A for <v6ops@ietf.org>; Thu, 10 Nov 2022 02:14:01 -0800 (PST)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 2AAADxp6053420 for <v6ops@ietf.org>; Thu, 10 Nov 2022 11:13:59 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 5351A204480 for <v6ops@ietf.org>; Thu, 10 Nov 2022 11:13:59 +0100 (CET)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 49BDF201B0C for <v6ops@ietf.org>; Thu, 10 Nov 2022 11:13:59 +0100 (CET)
Received: from [10.8.32.70] (is156570.intra.cea.fr [10.8.32.70]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 2AAADxId034784 for <v6ops@ietf.org>; Thu, 10 Nov 2022 11:13:59 +0100
Message-ID: <f407f68f-cd3b-b8af-2c80-ff827e865b11@gmail.com>
Date: Thu, 10 Nov 2022 11:13:59 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: fr
To: v6ops@ietf.org
References: <1f96f6d6-1c9a-0b18-acf2-dc7d0041ee3b@gmail.com> <78898acb-70b4-7e2d-a8ef-c47efde962e6@si6networks.com> <4821e89b-d64c-5e98-b2d7-a72437325045@gmail.com> <8c208ed1-5bcb-85f8-4b13-2465e160e655@gont.com.ar> <b25f3308-821e-4562-791a-2c2e44cde68c@gmail.com> <effd590f-93a3-c593-3e4e-2c6456ce8c4d@si6networks.com> <87acb67f-7751-aeec-f63f-58b47e628df9@gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
In-Reply-To: <87acb67f-7751-aeec-f63f-58b47e628df9@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/zXMnaQHplfW6M_l8b_hCvLVbw-Q>
Subject: Re: [v6ops] Same interface ID under several prefixes
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Nov 2022 10:14:05 -0000
Le 09/11/2022 à 21:59, Brian E Carpenter a écrit : > Looks like some progress in this area on Windows. > > Yesterday I applied the latest Windows 10 update, and noticed that my > very old IPv6 status checker was giving me an unexpected result. > > Why? Because as of yesterday, the stable IIDs for my GUA, ULA and LL > addresses are different. Kudos to MS. > > This is Windows 10 Pro, version 21H2, OS Build 19044.2251 > > Can somebody check this on Windows 11? I could check something on 22H2 Win10 (not Win 11), but not sure what to check more precisely, what commands to issue(?) I am on an IPv4-only network and there is an IID in the link-local address, and that IID is different than the MAC address. I have not recorded that IID in earlier days, so I cant check whether something changed after windows updates. And, I am not even sure of the MAC address being something of the actual Ethernet interface, because the USB-Ethernet interface is Dell, the Ethernet-less computer is HP and the MAC address on Windows says it is of HP (first 2 bytes checked from the public oui.txt). And, there is something in the BIOS which tries to have a unique MAC address for the Ethernet interface despite connecting various external USB-Ethernet interfaces with their various MAC addresses. This (MAC address from BIOS) stable identifier is very necessary, even though it does not appear in IPv6 addresses. This stable id is used for some protection, even though it is known that it can be faked. IPv6 is still considered to not give enough protection, compared to IPv4. Alex > > Regards > Brian > > On 23-Jun-22 08:46, Fernando Gont wrote: >> Hi, Brian, >> >> MacOS and OpenBSD also implement RFC7217/RFC8064. >> >> For embedded devices (e.g. printers), they are probably based on older >> versions of the Linux kernel, and probably RFC7217 has not (and will >> not) be back-ported to them -- so it'll take time for these devices to >> adopt RFC7217. >> >> As for Android, there might be a similar issue going on -- but certainly >> Lorenzo or Erik will be in a better position to tell. >> >> So my "concern" would probably be just the lack of support in Windows. >> >> P.S.: When it comes to Linux, it's more than just the kernel -- e.g. >> there's an implementation in dhcpcd (that's what you probably see in >> Raspberry Pi), and an implementation in NetworkManager (and there might >> be one in systemd-networkd). >> >> Thanks, >> Fernando >> >> >> >> >> On 21/6/22 19:56, Brian E Carpenter wrote: >>> Hi, >>> >>> I've done a little survey on my home network, and I don't find the >>> results >>> very encouraging for RFC7217/RFC8064 deployment. In summary, there is >>> some usage of pseudorandom IDs, but only Linux deserves a gold star >>> (the PI is also Linux): >>> >>> Linux 5.4.0 - 3 different IIDs for GUA, ULA, LLA >>> Raspberry PI - 3 different IIDs for GUA, ULA, LLA >>> Android 7 - same IID for GUA, ULA; different for LLA (EUI64) >>> Android 11 - same IID for GUA, ULA; different for LLA (EUI64) >>> Windows 10* - same IID for GUA, ULA, LLA >>> FritzBox 7530 - same IID for GUA, ULA, LLA (EUI64) >>> Samsung TV s6 - same IID for GUA, LLA (EUI64, but also temporary IID for >>> GUA & ULA) >>> Chromecast 2 - LLA only (EUI64) >>> Canon TS5100 - LLA only (EUI64) >>> >>> * with temporary addresses switched off >>> >>> Regards >>> Brian Carpenter >>> >>> On 18-Jun-22 10:20, Fernando Gont wrote: >>>> On 17/6/22 17:51, Brian E Carpenter wrote: >>>> [...] >>>>>> >>>>>> I assume they don't claim to implement RFC7217. -- If they did, then >>>>>> yes, it would be fair to call that a bug. :-) >>>>> >>>>> Right, it would be fairer to call it a potential privacy vulnerability >>>>> (discover one address, get another one free of charge). >>>> >>>> Indeed, their mechanism allows for host-tracking: i.e., once you know >>>> the token, you can predict what's the address that that node would >>>> configured if it connected to a given network. >>>> >>>> >>>>> I don't regard >>>>> it as a very serious problem that an outsider can learn my ULA or >>>>> LLA. >>>> >>>> The biggest problem is that once the attacker learns your token, e.g., >>>> he can test whether you're connected to e.g. the IETF conference >>>> network >>>> by e.g. pinging PREFIX::your_token. >>>> >>>> >>>> >>>>> Kudos to MS, anyway, for having moved to pseudo-random IIDs very >>>>> early, >>>>> before RFC7217 in fact. >>>> >>>> Yes, that was the point I was trying to make! >>>> >>>> Thanks, >>> >>> _______________________________________________ >>> v6ops mailing list >>> v6ops@ietf.org >>> https://www.ietf.org/mailman/listinfo/v6ops >> > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] Same interface ID under several prefixes Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Mark Smith
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont
- Re: [v6ops] Same interface ID under several prefi… Mark Smith
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Brian E Carpenter
- Re: [v6ops] Same interface ID under several prefi… tom petch
- Re: [v6ops] Same interface ID under several prefi… Alexandre Petrescu
- Re: [v6ops] Same interface ID under several prefi… Fernando Gont