14 Jan
2011
14 Jan
'11
12:18
I wonder whether our IPv6 settings are the right ones after reading the following article
(sorry, German only):
http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsp…
which references:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1
if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from my hardware
(macaddr) and therefore be the same independend how I connect to the internet. So,
it's easy to track my computer...
So, my proposal is to do the following two changes:
* Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions
* Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
Any concerns with this change?
Btw. here's an Ubuntu bugreport:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125
and Windows (since XP) is doing it the same way on desktops.
Andreas
--
Andreas Jaeger, Program Manager openSUSE, aj(a){novell.com,opensuse.org}
Twitter: jaegerandi | Identica: jaegerandi
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
Maxfeldstr. 5, 90409 Nürnberg, Germany
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
14 Jan
14 Jan
12:41
Andreas Jaeger wrote:
So, my proposal is to do the following two changes:
* Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions
* Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
If at all leave IPV6_PRIVACY empty by default and assume 2 in that
case in boot.ipconfig. However, I'd rather suggest to drop
boot.ipconfig completely and have the kernel itself start with a
sane default value.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
13:14
Andreas Jaeger wrote:
I wonder whether our IPv6 settings are the right ones
after reading
the following article (sorry, German only):
http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsp…
which references:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and
set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from
my hardware (macaddr) and therefore be the same independend how I
connect to the internet. So, it's easy to track my computer...
Disclaimer: I probably don't know enough about IPv6 to really comment
here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4
tunnels, but apart from free.fr, it seems that neither one is being
mass-deployed?
--
Per Jessen, Zürich (10.9°C)
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
16 Jan
16 Jan
16:34
On Fri, 14 Jan 2011 05:14:08 -0800, Per Jessen <per(a)opensuse.org> wrote:
Disclaimer: I probably don't know enough about
IPv6 to really comment
here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4
tunnels, but apart from free.fr, it seems that neither one is being
mass-deployed?
The privacy concern is IPv6 automatic configuration. There are two methods
in the RFCs for it. One derives your local-part by doing some well known,
and most importantly reverseable, computations on your MAC address. The
other method (RFC3041) just generates a 64-bit random number. The former
renders predictable addresses, which is handy for address-based ACLs on
devices. The later hides the hardware, and if address-based ACLs are in
use DHCPv6 will need to be used to assign a static address. Windows XP and
2003 at least use the Random generation method, and I'm pretty sure
Vista/Win7 do as well since Microsoft was the author of RFC 3041.
That said, if your IPv6 address is getting scrubbed by a v6 NAT gateway or
you're getting an assignment from DHCPv6 it doesn't matter.
--
Law of Probable Dispersal:
Whatever it is that hits the fan will not be evenly distributed.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
17:04
I know this is a bit off topic, but here's something:
http://isoc.org/wp/worldipv6day/
NM
On Sun, Jan 16, 2011 at 4:34 PM, Greg R <corwin(a)visi.com> wrote:
On Fri, 14 Jan 2011 05:14:08 -0800, Per Jessen
<per(a)opensuse.org> wrote:
--
nelson marques
nmo.marques(a)gmail.com
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
Disclaimer: I probably don't know enough
about IPv6 to really comment
here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4
tunnels, but apart from free.fr, it seems that neither one is being
mass-deployed?
The privacy concern is IPv6 automatic configuration. There are two methods
in the RFCs for it. One derives your local-part by doing some well known,
and most importantly reverseable, computations on your MAC address. The
other method (RFC3041) just generates a 64-bit random number. The former
renders predictable addresses, which is handy for address-based ACLs on
devices. The later hides the hardware, and if address-based ACLs are in use
DHCPv6 will need to be used to assign a static address. Windows XP and 2003
at least use the Random generation method, and I'm pretty sure Vista/Win7 do
as well since Microsoft was the author of RFC 3041.
That said, if your IPv6 address is getting scrubbed by a v6 NAT gateway or
you're getting an assignment from DHCPv6 it doesn't matter.
--
Law of Probable Dispersal:
Whatever it is that hits the fan will not be evenly distributed.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
17 Jan
17 Jan
09:15
Am Freitag, 14. Januar 2011 13:18:54 schrieb Andreas Jaeger:
I wonder whether our IPv6 settings are the right ones
after reading the
following article (sorry, German only):
http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsp
haere-1168416.html which references:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
english version:
http://www.h-online.com/security/news/item/IPv6-Smartphones-compromise-user…
--
Mit freundlichen Grüßen,
Marcel Hilzinger
Linux New Media AG, Putzbrunner Str. 71, 81739 München, Germany
Tel: +49 89 99 34 110, Fax: +49 89 99 34 1199
mhilzinger(a)linuxnewmedia.de - http://www.linuxnewmedia.de
----------------------------------------------------------
Linux New Media, the Pulse of Open Source: Lawrence, KS - Málaga
Manchester - München - São Paulo - Warszawa
----------------------------------------------------------
Sitz der Gesellschaft: Putzbrunner Str. 71, 81739 München
Amtsgericht München: HRB 129161
Vorstand: Brian Osborn, Hermann Plank
Aufsichtsratsvorsitzender: Rudolf Strobl
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
13 Sep
13 Sep
06:30
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 14.01.2011 13:18, schrieb Andreas Jaeger:
I wonder whether our IPv6 settings are the right ones
after reading
the following article (sorry, German only):
http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsp…
which references:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions)
and set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived
from my hardware (macaddr) and therefore be the same independend
how I connect to the internet. So, it's easy to track my
computer...
So, my proposal is to do the following two changes: * Use 2 instead
of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy
extensions * Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
Any concerns with this change?
Btw. here's an Ubuntu bugreport:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125 and
Windows (since XP) is doing it the same way on desktops.
Andreas
I upgraded from 11.4 to Factory recently and found that
IPV6_PRIVACY=yes causes trouble with long lived connections over IPv6
like IRC, ssh and even some http, because it drops the source address
after some time (in my case 5 mins - depending on radvd configuration).
my radvd.conf from radvd-1.1 looks thus:
interface br0
{
AdvSendAdvert on;
MaxRtrAdvInterval 15;
prefix 2001:06f8:11fc:10::1/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
AdvPreferredLifetime 120;
AdvValidLifetime 300;
};
};
increasing some livetimes would only reduce but not prevent this effect.
Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5u6ngACgkQSTYLOx37oWTJEwCfZYDjlClZtH9VqwuyzpCUyJMM
KN0AoK8LgWkLw1Yuphh7gKU4ARx1pMYc
=HMuV
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-factory+help(a)opensuse.org
3661
days inactive
3903
days old
6 comments
7 participants
participants (7)
-
Andreas Jaeger -
Bernhard M. Wiedemann -
Greg R -
Ludwig Nussel -
Marcel Hilzinger -
Nelson Marques -
Per Jessen