>On Mon, 05 Oct 2009 16:13:37 CDT, Dan White said: > >> a publicly routeable stateless auto configured address is no less >> secure than a publicly routeable address assigned by DHCP. Security >> is, and should be, handled by other means. > >The problem is user tracking and privacy. > >RFC4941's problem statement: > > Addresses generated using stateless address autoconfiguration > [ADDRCONF] contain an embedded interface identifier, which remains > constant over time. Anytime a fixed identifier is used in multiple > contexts, it becomes possible to correlate seemingly unrelated > activity using this identifier. > > The correlation can be performed by > > o An attacker who is in the path between the node in question and > the peer(s) to which it is communicating, and who can view the > IPv6 addresses present in the datagrams. > > o An attacker who can access the communication logs of the peers > with which the node has communicated. > > Since the identifier is embedded within the IPv6 address, which is a > fundamental requirement of communication, it cannot be easily hidden. > This document proposes a solution to this issue by generating > interface identifiers that vary over time. > > Note that an attacker, who is on path, may be able to perform > significant correlation based on > > o The payload contents of the packets on the wire > > o The characteristics of the packets such as packet size and timing > > Use of temporary addresses will not prevent such payload-based > correlation. >(end quote) > >Or phrased differently - if I DCHP my laptop in a Starbuck's, on Comcast, at >work, at a hotel, and a few other places, you'll get a whole raft of answers >which will be very hard to cross-corrolate. But if all those places did >IPv6 autoconfig, the correlation would be easy, because my address would always >end in 215:c5ff:fec8:334e - and no other users should have those last 64 bits. > >Amazingly enough, some people think making it too easy to Big-Brother you is a >security issue...
Isn't this really a security by obscurity argument? Making it a bit harder for the attacker, relying on 'Eve' just not realizing who I am? Most of those concerns are in fact mitigated by a well implemented Privacy implementation ... and many of the remaining concerns do in fact apply to IPv4. Not to mention the 'higher layer' aspects. Bottom line - if you are doing something that warrants some level of privacy or protection, you should do something to ensure that level of privacy or protection - never assume you are private/secure by default. /TJ
