[opensuse-factory] IPV6 privacy in openSUSE
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only): http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsph... which references: http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1 if enabled. The article advises to use 2. Background: By default (value 0) my IPv6 address will be derived from my hardware (macaddr) and therefore be the same independend how I connect to the internet. So, it's easy to track my computer... So, my proposal is to do the following two changes: * Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions * Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl Any concerns with this change? Btw. here's an Ubuntu bugreport: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125 and Windows (since XP) is doing it the same way on desktops. Andreas -- Andreas Jaeger, Program Manager openSUSE, aj@{novell.com,opensuse.org} Twitter: jaegerandi | Identica: jaegerandi SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Andreas Jaeger wrote:
So, my proposal is to do the following two changes: * Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions * Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
If at all leave IPV6_PRIVACY empty by default and assume 2 in that case in boot.ipconfig. However, I'd rather suggest to drop boot.ipconfig completely and have the kernel itself start with a sane default value. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Andreas Jaeger wrote:
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only):
http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsph...
which references: http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from my hardware (macaddr) and therefore be the same independend how I connect to the internet. So, it's easy to track my computer...
Disclaimer: I probably don't know enough about IPv6 to really comment here, but nevertheless - I can see this issue might be relevant for people with 6rd or 6to4 tunnels, but apart from free.fr, it seems that neither one is being mass-deployed? -- Per Jessen, Zürich (10.9°C) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, 14 Jan 2011 05:14:08 -0800, Per Jessen <per@opensuse.org> wrote:
Disclaimer: I probably don't know enough about IPv6 to really comment here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4 tunnels, but apart from free.fr, it seems that neither one is being mass-deployed?
The privacy concern is IPv6 automatic configuration. There are two methods in the RFCs for it. One derives your local-part by doing some well known, and most importantly reverseable, computations on your MAC address. The other method (RFC3041) just generates a 64-bit random number. The former renders predictable addresses, which is handy for address-based ACLs on devices. The later hides the hardware, and if address-based ACLs are in use DHCPv6 will need to be used to assign a static address. Windows XP and 2003 at least use the Random generation method, and I'm pretty sure Vista/Win7 do as well since Microsoft was the author of RFC 3041. That said, if your IPv6 address is getting scrubbed by a v6 NAT gateway or you're getting an assignment from DHCPv6 it doesn't matter. -- Law of Probable Dispersal: Whatever it is that hits the fan will not be evenly distributed. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
I know this is a bit off topic, but here's something: http://isoc.org/wp/worldipv6day/ NM On Sun, Jan 16, 2011 at 4:34 PM, Greg R <corwin@visi.com> wrote:
On Fri, 14 Jan 2011 05:14:08 -0800, Per Jessen <per@opensuse.org> wrote:
Disclaimer: I probably don't know enough about IPv6 to really comment here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4 tunnels, but apart from free.fr, it seems that neither one is being mass-deployed?
The privacy concern is IPv6 automatic configuration. There are two methods in the RFCs for it. One derives your local-part by doing some well known, and most importantly reverseable, computations on your MAC address. The other method (RFC3041) just generates a 64-bit random number. The former renders predictable addresses, which is handy for address-based ACLs on devices. The later hides the hardware, and if address-based ACLs are in use DHCPv6 will need to be used to assign a static address. Windows XP and 2003 at least use the Random generation method, and I'm pretty sure Vista/Win7 do as well since Microsoft was the author of RFC 3041.
That said, if your IPv6 address is getting scrubbed by a v6 NAT gateway or you're getting an assignment from DHCPv6 it doesn't matter.
-- Law of Probable Dispersal: Whatever it is that hits the fan will not be evenly distributed. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-- nelson marques nmo.marques@gmail.com -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Freitag, 14. Januar 2011 13:18:54 schrieb Andreas Jaeger:
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only): http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsp haere-1168416.html which references: http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
english version: http://www.h-online.com/security/news/item/IPv6-Smartphones-compromise-users... -- Mit freundlichen Grüßen, Marcel Hilzinger Linux New Media AG, Putzbrunner Str. 71, 81739 München, Germany Tel: +49 89 99 34 110, Fax: +49 89 99 34 1199 mhilzinger@linuxnewmedia.de - http://www.linuxnewmedia.de ---------------------------------------------------------- Linux New Media, the Pulse of Open Source: Lawrence, KS - Málaga Manchester - München - São Paulo - Warszawa ---------------------------------------------------------- Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München Amtsgericht München: HRB 129161 Vorstand: Brian Osborn, Hermann Plank Aufsichtsratsvorsitzender: Rudolf Strobl -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 14.01.2011 13:18, schrieb Andreas Jaeger:
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only): http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsph...
which references:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from my hardware (macaddr) and therefore be the same independend how I connect to the internet. So, it's easy to track my computer...
So, my proposal is to do the following two changes: * Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions * Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
Any concerns with this change?
Btw. here's an Ubuntu bugreport: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125 and Windows (since XP) is doing it the same way on desktops.
Andreas
I upgraded from 11.4 to Factory recently and found that IPV6_PRIVACY=yes causes trouble with long lived connections over IPv6 like IRC, ssh and even some http, because it drops the source address after some time (in my case 5 mins - depending on radvd configuration). my radvd.conf from radvd-1.1 looks thus: interface br0 { AdvSendAdvert on; MaxRtrAdvInterval 15; prefix 2001:06f8:11fc:10::1/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; AdvPreferredLifetime 120; AdvValidLifetime 300; }; }; increasing some livetimes would only reduce but not prevent this effect. Ciao Bernhard M. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5u6ngACgkQSTYLOx37oWTJEwCfZYDjlClZtH9VqwuyzpCUyJMM KN0AoK8LgWkLw1Yuphh7gKU4ARx1pMYc =HMuV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (7)
-
Andreas Jaeger -
Bernhard M. Wiedemann -
Greg R -
Ludwig Nussel -
Marcel Hilzinger -
Nelson Marques -
Per Jessen