I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only): http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsph... which references: http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from my hardware (macaddr) and therefore be the same independend how I connect to the internet. So, it's easy to track my computer...
So, my proposal is to do the following two changes: * Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions * Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
Any concerns with this change?
Btw. here's an Ubuntu bugreport: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125 and Windows (since XP) is doing it the same way on desktops.
Andreas
Andreas Jaeger wrote:
So, my proposal is to do the following two changes:
- Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions
- Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
If at all leave IPV6_PRIVACY empty by default and assume 2 in that case in boot.ipconfig. However, I'd rather suggest to drop boot.ipconfig completely and have the kernel itself start with a sane default value.
cu Ludwig
Andreas Jaeger wrote:
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only):
http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsph...
which references: http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from my hardware (macaddr) and therefore be the same independend how I connect to the internet. So, it's easy to track my computer...
Disclaimer: I probably don't know enough about IPv6 to really comment here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4 tunnels, but apart from free.fr, it seems that neither one is being mass-deployed?
On Fri, 14 Jan 2011 05:14:08 -0800, Per Jessen per@opensuse.org wrote:
Disclaimer: I probably don't know enough about IPv6 to really comment here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4 tunnels, but apart from free.fr, it seems that neither one is being mass-deployed?
The privacy concern is IPv6 automatic configuration. There are two methods in the RFCs for it. One derives your local-part by doing some well known, and most importantly reverseable, computations on your MAC address. The other method (RFC3041) just generates a 64-bit random number. The former renders predictable addresses, which is handy for address-based ACLs on devices. The later hides the hardware, and if address-based ACLs are in use DHCPv6 will need to be used to assign a static address. Windows XP and 2003 at least use the Random generation method, and I'm pretty sure Vista/Win7 do as well since Microsoft was the author of RFC 3041.
That said, if your IPv6 address is getting scrubbed by a v6 NAT gateway or you're getting an assignment from DHCPv6 it doesn't matter.
I know this is a bit off topic, but here's something:
http://isoc.org/wp/worldipv6day/
NM
On Sun, Jan 16, 2011 at 4:34 PM, Greg R corwin@visi.com wrote:
On Fri, 14 Jan 2011 05:14:08 -0800, Per Jessen per@opensuse.org wrote:
Disclaimer: I probably don't know enough about IPv6 to really comment here, but nevertheless -
I can see this issue might be relevant for people with 6rd or 6to4 tunnels, but apart from free.fr, it seems that neither one is being mass-deployed?
The privacy concern is IPv6 automatic configuration. There are two methods in the RFCs for it. One derives your local-part by doing some well known, and most importantly reverseable, computations on your MAC address. The other method (RFC3041) just generates a 64-bit random number. The former renders predictable addresses, which is handy for address-based ACLs on devices. The later hides the hardware, and if address-based ACLs are in use DHCPv6 will need to be used to assign a static address. Windows XP and 2003 at least use the Random generation method, and I'm pretty sure Vista/Win7 do as well since Microsoft was the author of RFC 3041.
That said, if your IPv6 address is getting scrubbed by a v6 NAT gateway or you're getting an assignment from DHCPv6 it doesn't matter.
-- Law of Probable Dispersal: Whatever it is that hits the fan will not be evenly distributed. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Am Freitag, 14. Januar 2011 13:18:54 schrieb Andreas Jaeger:
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only): http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsp haere-1168416.html which references: http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
english version: http://www.h-online.com/security/news/item/IPv6-Smartphones-compromise-users...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 14.01.2011 13:18, schrieb Andreas Jaeger:
I wonder whether our IPv6 settings are the right ones after reading the following article (sorry, German only): http://www.heise.de/newsticker/meldung/IPv6-Smartphones-gefaehrden-Privatsph...
which references:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
We set use_tempaddr to 0 by default (disabling privacy extensions) and set it to 1 if enabled. The article advises to use 2.
Background: By default (value 0) my IPv6 address will be derived from my hardware (macaddr) and therefore be the same independend how I connect to the internet. So, it's easy to track my computer...
So, my proposal is to do the following two changes: * Use 2 instead of 1 in /etc/rc.d/boot.ipconfig for enabling the privacy extensions * Set IPV6_PRIVACY=yes in /etc/sysconfig/sysctl
Any concerns with this change?
Btw. here's an Ubuntu bugreport: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125 and Windows (since XP) is doing it the same way on desktops.
Andreas
I upgraded from 11.4 to Factory recently and found that IPV6_PRIVACY=yes causes trouble with long lived connections over IPv6 like IRC, ssh and even some http, because it drops the source address after some time (in my case 5 mins - depending on radvd configuration).
my radvd.conf from radvd-1.1 looks thus: interface br0 { AdvSendAdvert on; MaxRtrAdvInterval 15; prefix 2001:06f8:11fc:10::1/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; AdvPreferredLifetime 120; AdvValidLifetime 300; }; };
increasing some livetimes would only reduce but not prevent this effect.
Ciao Bernhard M.
-
Andreas Jaeger -
Bernhard M. Wiedemann -
Greg R -
Ludwig Nussel -
Marcel Hilzinger -
Nelson Marques -
Per Jessen