Default security functions on an IPv6 CPE

Ben Jencks ben at bjencks.net
Tue May 31 00:32:05 CEST 2011


On May 30, 2011, at 6:21 PM, Doug Barton wrote:

> On 05/30/2011 15:08, Fernando Gont wrote:
>> Hi, Fred,
>> 
>> On 05/30/2011 06:53 PM, Fred Baker wrote:
>>>>> Privacy addresses are the answer here; software initiating connectivity
>>>>> should be doing so from temporary addresses, and other software
>>>>> listening for incoming connectivity should only be doing so from the
>>>>> public address.
>>>> 
>>>> FWIW, I was told recently that Windows 7 implements some sort of
>>>> *privacy* addresses, rather than *temporary* addresses -- they do not
>>>> have modified EUI-64 format identifiers, but do not change as frequently
>>>> as temporary addresses.
>>> 
>>> I believe they implement
>>> 
>>> http://www.ietf.org/rfc/rfc4941.txt
>>> 4941 Privacy Extensions for Stateless Address Autoconfiguration in
>>>      IPv6. T. Narten, R. Draves, S. Krishnan. September 2007. (Format:
>>>      TXT=56699 bytes) (Obsoletes RFC3041) (Status: DRAFT STANDARD)
>> 
>> Christian Huitema had noted on 6man@ that they generate IPv6 addresses
>> as a result of a hash function that includes the prefix. i.e., the
>> address (IID) varies from network to network, but is constant within the
>> network.
> 
> Yeah, my understanding is that it's not quite 4941, it's what I not-really-jokingly refer to as the microsoft embrace and extend 4941 work-alike. In this particular case the differences don't seem to actually hurt anything however, so points for that. :)

I haven't looked at Windows 7, but I do know that on Server 2008 R2, it (by default) doesn't generate the interface ID part using the standard EUI-48 -> EUI-64 from the physical MAC address. Instead it seems to use a random, but permanent, 64 bit number, but I wouldn't be surprised if it's the hash function Fernando mentioned. There's a registry setting you can change to switch back to the MAC address-based derivation.

That address is the normal, permanent SLAAC address, though, and independent of any privacy addresses it might use.

-Ben


More information about the ipv6-ops mailing list