[ipv6hackers] Host tracking in IPv6 (SI6 IPv6 toolkit v1.3.3)

Karl Auer kauer at biplane.com.au
Tue Mar 12 05:31:32 CET 2013


On Mon, 2013-03-11 at 23:31 -0400, Fernando Gont wrote:
> > How does known-iids help you with the tracking of systems with privacy
> > extensions?
> 
> Privacy addresses don't help you at all, since they are generated *in
> addition* to the other addresses. SO, when you want to track a node, you
> simply forget about the privacy addresses, and always poll/probe the
> "stable" one.

Assuming you know the stable one. You may be able to find it via hinted
scanning, but if the node does not use the stable address to
communicate, then the stable address will not be exposed to be traced. I
realise this is security through obscurity ;-)

I'd like to see another value added to the /proc/sys/net/ipv6/conf
directory in Linux that turns OFF autoconf when temp addresses are in
use. Perhaps a fourth value for use_tempaddr:
   0 = do not use temporary addresses
   1 = use temporary addresses, but prefer non-temporary
   2 = use temporary addresses and prefer temporary addresses
   3 = use temporary addresses and do not configure non-temporary
addresses

Because this is per-interrface, this is less useful for hosts that have
multiple prefixes on interfaces; I may be quite happy to use a
non-temporary address out of one prefix for internal communications, but
want to use only temporary addresses from another prefix for external
communications. At present, I need (on Linux at least) to configure
temporary and non-temporary addresses from both prefixes, even though I
will be using only one of each. One solution - an ugly one - is to
filter the prefix or even the addresses on the router or at the network
border.

Regards, K.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://www.biplane.com.au/blog

GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017





More information about the Ipv6hackers mailing list