[ipv6hackers] NetworkManager and privacy in the IPv6 internet

Matej Gregr igregr at fit.vutbr.cz
Sun Dec 6 14:05:41 CET 2015


snip

> * Some networks want to disable RFC4941s on end-user devices for auditing purposes, but also don't like the privacy issues that EUI64s cause. So RFC7217s are also (somewhat of) a solution for them. (Personally, I think if auditing is important to you, you should be really using link-layer authentication e.g., 802.1X, and then would be able to record any and all addresses that an end-user device uses. MAC addresses and layer 3 addresses identify devices, not the people who are behind them, and devices aren't very tightly physically coupled to their authorised users, unless you use handcuffs, chains or cableties.).
> 
> RFC 7217 doesn't help in this case. The troubleshooting, backtracking of
> security incidents or auditing will not be easier. If a user reinstall
> os, boot to another OS, etc., the algorithm in RFC 7217 creates a
> different privacy address.
> 
> * Of course it will create a different address. If the OS is replaced or a different OS is booted, it is in effect a different end-node. The purpose of RFC7217 is not to create permanent, globally unique, unalterable, hardware embedded device identifiers that are impervious to OS replacement. Even MAC addresses don't qualify as those, despite that being the original intent.
> 

If I use the same hw and OS, but I switch from network manager to
dhcpcd, the privacy address will be different. If I change a software
used for address configuration, it is also a different end-node for you?

>> 
>> Yes, RFC 7217 is better than EUI64, but thats all. I reread it and it
>> doesn't even fulfill its own design goals!
>> 
>> E.g. "the algorithm generates the same Interface Identifier
>>       when configuring an address (for the same interface) belonging to
>>       the same prefix within the same subnet"
>> 
>> Which is not true.
> 
> * You'll have to explain that one. What do you know that Fernando, the people listed in the Acknowledgements section of the RFC and more broadly the IETF, since they published it, don't?

The RFC 7217 reality is:

"the algorithm generates the same Interface Identifier when configuring
an address (for the same interface *, same OS and same version of a
software used for address generation*) belonging to the same prefix
within the same subnet"

Compare it with the original design goal.

Don't get mi wrong, I don't have anything against RFC 7217. I am using
it on my systems. However, I had an impression from initial design goals
that the RFC will help me to simplify address accounting in my network.
It didn't happen. That's all.

M.


More information about the Ipv6hackers mailing list