[ipv6hackers] Dynamic prefixes & privacy (was: IPv6 prefix changing)

Owen DeLong owend at he.net
Mon Mar 12 17:56:51 CET 2012 

On Mar 12, 2012, at 8:09 AM, Markus Reschke wrote:

> On Mon, 12 Mar 2012, Owen DeLong wrote:
> 
> Hi!
> 
>> The fixed identifier for [2] is present regardless of the nature of the prefix
>> assigned to the end user. The upstream connection address is likely at least
>> persistent if not static over long enough intervals to be a traceable
>> identifier that the end user cannot influence.
> 
> In the common design all DSL customers in an area are connected to a single regional access router. For simple routing that access router has
> fixed subnets for the customers (IP addresses are assigned dynamically out of those subnets). That way you can learn which subnets belong to which geographic area. If, in case of IPv6, a subnet is assigned to the customer, and if you take the MAC-based automatic interface addresses into account, you'll get a very nice solution to track users just by the "not so dynamic" IP address. Fortunately the office for data privacy knows about privacy extensions. They're not completely clueless :-)
> 

Yes, the addresses within that subnet for a geographic area are technically dynamic. However, reality is that they are actually persistent over long enough periods of time as to be effectively static for tracking purposes.

Privacy extensions only modify the suffix. They do nothing to anonymize the prefix. and they don't meaningfully apply to the provider-facing address on the home gateway (the CPE router which connects to the provider's network).

>> Rotating the customer prefix can only create an illusion of increased privacy
>> while not providing any actual increase in privacy. Allowing the user to choose
>> to provide such an illusion or not is, I suppose, a form of self-determination,
>> but, I'm not sure I understand the value.
> 
> Yep! The big problem is misunderstanding. Even in this mailing list one can read weird comments regarding the current thread about the German data privacy law. Politicians don't understand technology, people too but they trust media, most media is absolutely clueless and IT experts talk IT-glibberish others don't understand. We say that x is a security nightmare, officials try to enforce some kind of mitigation and the user thinks everything's fine. Nice, isn't it?
> 

Not so much, no.

Owen

More information about the Ipv6hackers mailing list