Default security functions on an IPv6 CPE

Fred Baker fred at
Mon May 30 23:53:38 CEST 2011

On May 29, 2011, at 9:30 PM, Fernando Gont wrote:

> On 05/27/2011 11:57 AM, Scott Beuker wrote:
>>> There's an implication here: knowledge of valid IPv6 addresses is
>>> going to be valuable to the bad guys.  Therefore logs/tables/mail
>>> headers/whatever are going to be targets and there's going to be
>>> pressure to from the paranoid (which is everyone with an interest in
>>> security, of course) to keep as much detail hidden as possible.
>> Privacy addresses are the answer here; software initiating connectivity
>> should be doing so from temporary addresses, and other software
>> listening for incoming connectivity should only be doing so from the
>> public address.
> FWIW, I was told recently that Windows 7 implements some sort of
> *privacy* addresses, rather than *temporary* addresses -- they do not
> have modified EUI-64 format identifiers, but do not change as frequently
> as temporary addresses.

I believe they implement
4941 Privacy Extensions for Stateless Address Autoconfiguration in
     IPv6. T. Narten, R. Draves, S. Krishnan. September 2007. (Format:
     TXT=56699 bytes) (Obsoletes RFC3041) (Status: DRAFT STANDARD)

In short, they come up with a new random number daily, and use that one when they initiate sessions. If they have sessions in progress, or get an incoming session, I believe they will use a "privacy" address for up to seven days.

> Thanks,
> -- 
> Fernando Gont
> e-mail: fernando at || fgont at
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

More information about the ipv6-ops mailing list