yes, the mac for fe80::200:5eff:fe00:101 is 00:00:5e:00:01:01 (a virtual mac used by the virtual router redundancy protocol commonly used by service providers in point-of-presence?) -- J Pan, UVic CSc, ECS566, 250-472-5796 (NO VM), p...@uvic.ca, Web.UVic.CA/~pan
On Mon, Feb 12, 2024 at 6:14 AM Alexandre Petrescu via Starlink <starlink@lists.bufferbloat.net> wrote: > > this is an issue for 6MAN WG at IETF, but this is the text with the > issue in the paper: > > > From the user device or customer router at 192.168.1.1, > > we can reach its GS gateway at 100.64.0.1 (or equivalently > > fe80::200:5eff:fe00:101 for IPv6) > > That IPv6 link-local address has an 'ff:fe' in it; the prefix is 'fe80' > and the rest is an 'Interface ID', in RFC parlance. > > That IID should be more random in its appearance. It is called an > 'opaque' IID, and specified in RFC 7217 "Stable and Opaque IIDs with > SLAAC" of year 2014. > > That IPv6 address corresponds to earlier forms of these IIDs (RFC2464 of > year 1998); they had that IID to be derived from a 48bit MAC address and > inserted an 'ff:fe' string in it to become 64bit. > > Most embedded linux platforms (v2.x kernels?) still use that ff:fe. > Migrating these kernels is sometimes very difficult. One might not want > to migrate an kernel to a bloated and slower v3 or higher just for that > little 'ff:fe'. Maybe one wants to migrate just its IPv6 stack, but > it's not easy. > > The reason of making this IID more opaque is to resist scanning > attacks. A scanning attack is when a user might have somehow an > illegitimate starlink terminal and tries to connect to the legitimate > starlink network. Part of that trying is to know the IP address of the > next hop. With IPv6 it comes down to testing all these addresses. If > they have a constant 'ff:fe' in them, it is easier to find them by brute > force than if they were opaque. It is also true that if in IPv4 that > next hop is always the same then the easiest attack is to simply use > IPv4 instead of IPv6. But this 'opaqueness' of the IID in the IPv6 ll > address might still be needed when IPv4 is get rid of. > > This could be discussed at IETF, could be suggested to starlink to > upgrade, etc. > > Alex > > Le 12/02/2024 à 07:59, J Pan via Starlink a écrit : > > http://pan.uvic.ca/webb/viewtopic.php?p=124670#p124670 to appear at > > ieee icc 2024. feedback welcome, especially during the camera-ready > > stage this week. thanks! -j > > -- > > J Pan, UVic CSc, ECS566, 250-472-5796 (NO VM), p...@uvic.ca, > > Web.UVic.CA/~pan > > _______________________________________________ > > Starlink mailing list > > Starlink@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/starlink > _______________________________________________ > Starlink mailing list > Starlink@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/starlink _______________________________________________ Starlink mailing list Starlink@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/starlink
