A Proposal for Generating Stable Privacy-Enhanced Addresses in IPv6

IPv6 hosts typically configure their IPv6 addresses by means of a mechanism known as StateLess Address AutoConfiguration (SLAAC). In SLAAC, a local router announces an IPv6 prefix to be used for address configuration, and the local hosts generate their IPv6 addresses by concatenating an Interface ID to the announced IPv6 prefix. For network technologies such as Ethernet, the Interface ID basically consists of the MAC address of the corresponding network interface card.

The aforementioned procedure typically results in stable addresses (i.e., the each interface card always gets the same IPv6 address). Such “stable” addresses are generally considered to simplify network management, since they simplify ACLs and logging. However, since IEEE identifiers are typically globally unique, the resulting IPv6 addresses can be leveraged to track and correlate the activity of a node, thus negatively affecting the privacy of users.

When a host moves from one network to another, the IPv6 prefix will change, but the Interface Identifier will be constant (since the MAC address does not change). As a result, it becomes trivial to track and correlate the activities of a node.

The “Privacy Extensions for Stateless Address Autoconfiguration in IPv6” (specified in RFC 4941) were introduced to mitigate the aforementioned problem, and basically result in temporary (and random) Interface Identifiers that are typically more difficult to leverage than those based on IEEE identifiers (e.g. Ethernet addresses). Such temporary addresses are generated in addition to the traditional autoconfiguration addresses (i.e., the stable addresses typically constructed with MAC addresses): the temporary addresses are employed for “outgoing” communications, while the stable addresses are used for performing “server” functions (i.e., receiving incoming connections).

Temporary addresses can be challenging in a number of areas.  For example, from a network-management point of view, they tend to increase the complexity of enforcing access controls and event logging.  As a result, some organizations disable the use of privacy addresses even at the expense of reduced privacy.
On the other hand, even when privacy addresses are enabled, the “stable” addresses are still used for performing “server” functions, and hence can still be leveraged to affect the privacy of users (albeit with increased difficulty), and can still be leveraged for the purpose of host-scanning.

IPv6 addresses based on IEEE identifiers (e.g. Ethernet addresses) can be easily predictable, particularly if all network interface cards in a subnet correspond to the same manufacturer: as soon as an attacker known one IPv6 address it can find the rest of the addresses by trying all possible combinations in the last three bytes of the IPv6 address.

Fernando Gont has published an IETF Internet-Draft entitled “A method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC)“, which proposes an algorithm for generating addresses that are stable within each subnet, but that result in different (and unpredictable) Interface Identifiers as hosts move from one network to another.  The aforementioned method is meant to be an alternative to generating Interface Identifiers based on IEEE identifiers, such that the same manageability benefits can be achieved without sacrificing the privacy of users.

The proposal is being discussed at the 6man working group of the IETF. Feedback from the community will be appreciated.

Leave a Reply