Default security functions on an IPv6 CPE

Tim Chown tjc at ecs.soton.ac.uk
Tue May 31 12:59:12 CEST 2011


On 31 May 2011, at 01:58, Doug Barton wrote:

> On 05/30/2011 17:07, Fernando Gont wrote:
>> IIRC, one of the arguments was that, if e.g. there's a single host
>> active in a given subnet, even if it varies its address, it's easy to
>> figure out that its simply the same host varying its Interface ID
>> (particularly when the address itself is claiming that it si a temporary
>> address;-)  ).
> 
> That's not the problem that privacy addresses were intended to solve. The real issue is that if you take the same host (laptop, whatever) and use it on different networks you can still be tracked because the host part of the address is (intended to be) globally unique. Regarding that threat model, privacy addresses are effective.


Indeed, and very appreciated by many users :)

When I last checked Windows7 behaviour it would by default generate

a) a permanent address with a randomised host part, persistent across reboots on the same prefix.  One benefit if you put this address in the DNS is it would not change with a change of MAC address (e.g. hardware change).

b) a temporary privacy address, which changes across reboots.  Unlike XP, the system does not appear to generate new privacy addresses on a daily basis

I quite like this combination of behaviours.

Tim


More information about the ipv6-ops mailing list