ipv6: there goes privacy

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › ipv6: there goes privacy

markh14

95 posts

Master Geek
Inactive user

#66181 14-Aug-2010 01:48

ipv6 will include your modem/router's mac address

http://www.theregister.co.uk/2010/08/06/ipv6_security_nightmare/

now why did the guys have to include it for? surely they could have just made 1 long number without the mac address.

ArcticSilver

729 posts

Ultimate Geek

#367444 14-Aug-2010 03:55

markh14: ipv6 will include your modem/router's mac address

http://www.theregister.co.uk/2010/08/06/ipv6_security_nightmare/

now why did the guys have to include it for? surely they could have just made 1 long number without the mac address.

IPv6 includes your MAC address as part of the way it works. Its so everyone has a unique address.

It has many benefits over IPv4 too. Functionally it is better designed.

It isnt much less private than IPv4 because remember your house/connecion's ip address is still sent out. This just adds the computer to the MIX (if some form of NAT is nolger used).

Without wanting to go on for too long, overall IPv6 is a good improvement and it is most of all needed.

Tradepub

Free professional, reference and technical white papers (affiliate link).

Chippo

129 posts

Master Geek

Trusted

#367459 14-Aug-2010 09:14

Skimming the article (Which does seem to be much heavier on FUD than it needs to be) windows 7 and Vista both perform a hash on your MAC address before participating in Router Solicitation specifically to mitigate this. Linux and OS X don't.

For Windows XP, Linux and OS X users: being able to determine a MAC from an IP address allows remote hosts on the internet to track individual hardware regardless of ISP. You can't identify individual users. It's also not a reliable identification mechanism because you can set your IP address to anything you like within your assigned prefix.

This doesn't impact DHCPv6 which depending on configuration, does just assign contiguous blocks of IPs, much like IPv4. Only difference here is that there's no NAT. So corporates who receive complaints can identify individual machines without needing to refer to NAT logs. Home users can also identify individual machines.

David

I work for a global Data Protection Software company - But my opinions are my own.

Ragnor

8196 posts

Uber Geek

Trusted

#367872 15-Aug-2010 16:00

Until they come up with viable replacement for NAT that lets you keep your private internal network private and have dual WAN via different ISP's I can't see ipv6 taking off in the small/medium business world.

Everyone will probably keep using ipv4 internally.

Beccara

1469 posts

Uber Geek

ID Verified

#371060 22-Aug-2010 16:28

One of the main advantages of v6 is not having NAT, there is no need for it. Windows XP/Vista/7 all hide your MAC and if your really paranoid you could set you v6 address manually to something different all together. Remeber, NAT is not a firewall and shouldn't be used as your primary security system

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

oldmaknz

536 posts

Ultimate Geek

#371063 22-Aug-2010 16:31

Good read. Probably wouldn't be hard to spoof it though. Methods to do so would become so mainstream it wouldn't be a problem.

Zeon

3913 posts

Uber Geek

Trusted

#371076 22-Aug-2010 16:55

Ragnor: Until they come up with viable replacement for NAT that lets you keep your private internal network private and have dual WAN via different ISP's I can't see ipv6 taking off in the small/medium business world.

Everyone will probably keep using ipv4 internally.

Why do you need a replacement for NAT? NAT was a system introduced as a stop-measure with the explosive growth of ipv4, not as a firewall. Treating it as a firewall is ignorant, you still have open connections which a hacker could get through.

There apparently is a technology in ipv6 which will allow auto failover without NAT which is called shimming. I've done some basic research on it but still don't fully understand it...

Speedtest 2019-10-14

Ragnor

8196 posts

Uber Geek

Trusted

#371077 22-Aug-2010 16:55

Beccara: One of the main advantages of v6 is not having NAT, there is no need for it.

Plenty of businesses use dual wan or wan failover with different isp's.

How you can do this without getting both/all your ISP's to route your range?

Under IPv6 you might have to get x IPv6 subnets, one from each ISP, and then each PC/Server in your network would need multiple IPv6 addresses. That doesn't seem very practical?

Many security professionals will have nightmares about having their internal network being entirely public IP's too.

NAT is pretty useful (yes I know it doesn't replace the need for a good firewall).

Shimming sounds interesting.

Beccara

1469 posts

Uber Geek

ID Verified

#371341 23-Aug-2010 09:16

You make a good point about dual WAN's, ISP's and Clients alike will have to adapt to these issues. Security guys will also know that threats come from within the network more often than outside it and the desktop should be secure to start with.

V6 is coming, V4 space is almost out and RIR's are tightening up V4 allocation policy. ISP's will soon either have to deploy V6 or use Carrier Grade Nat (NAT444) which is a huge can of worms.