adrift on a cosmic ocean

Writings on various topics (mostly technical) from Oliver Hookins and Angela Collins. We have lived in Berlin since 2009, have two kids, and have far too little time to really justify having a blog.

IPv6 Privacy

Posted by Oliver on the 12th of September, 2010 in category Tech
Tagged with: ipv6linuxprivacy

I'm a big proponent of getting IPv6 out there, but not everyone shares this opinion. A lot of people are happy to stick with IPv4 and all of the horrid NATing nightmares this introduces despite there being such big wins when using IPv6. Some issues it does introduce though need to be dealt with:

  • The big compatibility issue, which encompasses OS, network stack and application support as well as support by all of the solid-state devices out there already.
  • Direct-connectivity to all endpoints is now possible, so NAT cannot be relied upon to provide security.
  • MAC addresses are directly converted into EUI-64 addresses which, when used with IPv6 autoconfiguration, are directly exposed in the IPv6 address.

These last two seem to cause a bit of argument. NAT does provide an implicit form of security (albeit one that can be bypassed with advanced techniques). Adequate firewalling mitigates the security problem, and doesn't involve breaking the Internet. The alternative is working with an Internet where NAT is omnipresent and every P2P service requires proxies or connection brokering services. This will be a problem.

The last point of MAC address privacy is easily dealt with. If you (like me) don't particularly find the idea of exposing your MAC address to the world when you use IPv6, you can configure your system to randomize the address. Setting:

net.ipv6.conf.all.use_tempaddr = 2

will cause your network stack to use the advertised prefix on your segment but generate a random suffix, and use it as the preferred address (any previously configured address from the MAC address will be deprecated and eventually removed).

© 2010-2018 Oliver Hookins and Angela Collins