Default security functions on an IPv6 CPE
Fred Baker
fred at cisco.com
Mon May 30 23:53:38 CEST 2011
On May 29, 2011, at 9:30 PM, Fernando Gont wrote:
> On 05/27/2011 11:57 AM, Scott Beuker wrote:
>
>>> There's an implication here: knowledge of valid IPv6 addresses is
>>> going to be valuable to the bad guys. Therefore logs/tables/mail
>>> headers/whatever are going to be targets and there's going to be
>>> pressure to from the paranoid (which is everyone with an interest in
>>> security, of course) to keep as much detail hidden as possible.
>>
>> Privacy addresses are the answer here; software initiating connectivity
>> should be doing so from temporary addresses, and other software
>> listening for incoming connectivity should only be doing so from the
>> public address.
>
> FWIW, I was told recently that Windows 7 implements some sort of
> *privacy* addresses, rather than *temporary* addresses -- they do not
> have modified EUI-64 format identifiers, but do not change as frequently
> as temporary addresses.
I believe they implement
http://www.ietf.org/rfc/rfc4941.txt
4941 Privacy Extensions for Stateless Address Autoconfiguration in
IPv6. T. Narten, R. Draves, S. Krishnan. September 2007. (Format:
TXT=56699 bytes) (Obsoletes RFC3041) (Status: DRAFT STANDARD)
In short, they come up with a new random number daily, and use that one when they initiate sessions. If they have sessions in progress, or get an incoming session, I believe they will use a "privacy" address for up to seven days.
> Thanks,
> --
> Fernando Gont
> e-mail: fernando at gont.com.ar || fgont at acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
More information about the ipv6-ops
mailing list