back to article How legacy IPv6 addresses can spoil your network privacy

A single device within an IPv6 home network can reduce the privacy of every computer, handheld, and other gadget on that network, enabling all devices to be tracked around the internet, even those with IPv6 privacy protections. In a research paper titled "One Bad Apple Can Spoil Your IPv6 Privacy," Said Jawad Saidi, of the Max …

  1. the spectacularly refined chap

    Underwhelming

    I was expecting something jaw-dropping when I started the article but on reaching the end I can't help feeling "ho-hum". It the kind of thing that's fairly obvious if you think about it. Of course, like many of these obvious "new" threats the claims are over-egged.

    The persistent host portion allows network prefix randomisation to be unscrambled, it do not allow further tracking of other devices in the network. In the example given you can't confirm the laptop is the same machine as yesterday, only that it is a system on the same network.

    1. simpfeld

      Re: Underwhelming

      I have to agree. Very ho-hum. Given how rarely IPv4 addresses change (and you want this) and a fixed IPv4 address is common, I don't really see this is massively worse. Also my IoT devices (hopefully) talk to their single AWS cloud services, so not really leaking to lots of Internet sites, a TV a little more but still a very limited pool of sites. Phones and things that actually leave my house are all random assignment.

      Besides I have a fixed PD delegation anyway, knowing my end device isn't a big further hole.

      To be honest, I'd personally love to us pure DHCPv6 and not SLAAC at home, but Android doesn't support it! Due to a super awkward Android developers with an obsession that we should all use SLAAC and nothing else...

      https://issuetracker.google.com/issues/36949085?pli=1

    2. Warm Braw

      Re: Underwhelming

      There's an earlier study, cited in this later report, that came to a similar conclusion in the context of defeating the effects of prefix rotation, so it's not really new news.

      It's also asking a bit much of a network protocol to fully obfuscate its communicating parties - a sufficient portion of each end-point identifier has to remain the same for as long as parties are communicating (unless you punt the problem up a few layers); it may not be practical for a routing domain to have what is essentially an entirely flat address space so that all possible address prefixes can be assigned to any attachment point; full anonymity would make it hard to suppress DoS attacks.

      However, the real fly in the ointment is that there will be other persistent tracking-identifiers higher in the protocol stack that your "smart" TV - and many services on your otherwise address-randomising laptop - will be spraying out to all and sundry that are of significantly more concern.

    3. Keith Langmead

      Re: Underwhelming

      Yeah hardly earth shattering, at least based on that explanation of the "vulnerability" in the article. Surely in terms of risk, this is no more than the difference you currently get in a NAT IPv4 setup between whether you have a dynamic IP address allocation from the ISP or a static IP address, and no one's suggesting that having a static IP address is a terrible thing that should be avoided at all costs. Plus, in order to take advantage of it, you as the attacker need access not just to a site/service that the victim connects to, but one that more than one of their devices including the vulnerable TV in this example connects to. All that just to know that the connection you saw yesterday came from a device on the same network as you're seeing today, but not necessarily the same actual device.

    4. DougMac

      Re: Underwhelming

      Since browser fingerprinting can pretty much zero in on anybody (ie. see https://www.amiunique.org/fp ), how is this study any different?

      Just one more factor in the many dozens that can already uniquely identify you.

      1. tip pc Silver badge

        Re: Underwhelming

        "www.amiunique.org/fp"

        I visited that site in several normal tabs and 1 incognito in safari with "limit IP address tracking enabled" and the site incremented the fingerprints count by 1 and said every visit was unique.

        that's more protection than I'd get from an IoT letting the world know my new prefix is the same household as a previous one.

        browser fingerprinting is one thing but IoT's are likely to talk to an api or command & control server so no browser finger printing.

    5. bombastic bob Silver badge
      Devil

      Re: Underwhelming

      All IPv6 addresses (with a few exceptons) are public.

      For privacy, it looks like we should use VPNs or SOCKS proxies.

      An ISP could provide this service or you could just use the Tor network so long as it has IPv6 exit points (I do not know, probably does, my guess).

      Seriously though if you have a fixed IP(v6) address (like a home office or a business) you just assume you're being tracked, and an IPv6 /64 will be trackable based on the prefix anyway. So yeah, for true privacy, Tor or a proxy or a VPN..

      And tracking is the LEAST of the problems. A windows box with an IPv6 address that is NOT firewalled by a non-windows "something" is like being promiscuous in a series of adulterous activities. NOT a matter of IF you get a virus (or whatever), but WHEN.

      (I remember WinNuke, and I still see ALL of those open ports on any windows box connected to my network, and Micros~1 firewall does not, In My Bombastic Opinion, inspire ANY sense of confidence and/or security for stopping malware or outright attacks)

  2. sreynolds

    I don't care what the experts say....

    For my home network I will always run NAT for the "users". I mean some machines might be have a routeable external address but that's about it.

    Is there really a need to devices to register an IP address for notifications?

    1. simpfeld

      Re: I don't care what the experts say....

      To be honest you can do really smart on IPv6 with Prefix Translation, because you have so many external addresses you can have 1-to-1 mapping of external to internal addresses, it should work great. Much better than IPv4 port hackery.

      Sadly there is a big BUT coming, the private addresses you can assign officially in IPv6 ULAs (fd00::/8) will NEVER be used for Internet traffic (I believe usually hard coded into the stacks and will drop back to IPv4 if you try, so I have read (not tried it)). So your choice is to use an unused piece of the real address space, it's unused this week, so this may well come back to bite you.

      Sadly the Ivory Tower people that architect these sort of things have made NAT IPv6 hard to do well.

      A bit analogous to the Ivory Tower people that don't want to give out a decent set of private top-level domain names for internal use....

      1. Yes Me Silver badge

        Re: I don't care what the experts say....

        There's a subtlety there. ULAs will not be used unless you beef up their precedence compared to globally-reachable IPv6 addresses. That means configuring what is sometimes called the RFC6724 table, and that's not trivial for normal users (and allegedly impossible on some devices, even though the RFC requires the table to be configurable).

        You don't need full NAT anyway; you only need prefix translation.

        Your router needs to support this stuff; most consumer grade routers don't.

        Not quite there yet, but well out of the ivory tower.

        1. tip pc Silver badge

          Re: I don't care what the experts say....

          You don't need full NAT anyway; you only need prefix translation.

          for the use case in this article you want IID NAT, not prefix NAT.

    2. casperghst42

      Re: I don't care what the experts say....

      There is no NAT for ipv6.

      1. Tom 7

        Re: I don't care what the experts say....

        I'll stick to ipv4 then. Well I'm going to have to for quite a while because my ISP doesnt use 6 and I cant find anyone else to supply me here for anything realistic. Currently IPV6 offers me nothing and until it offers me something and in a way that means I can configure it securely and know exactly what I'm doing its not happening.

        1. This post has been deleted by its author

          1. Anonymous Coward
            Facepalm

            Re: I don't care what the experts say....

            If the Internet, hosting, IP services use IPv6 and your LAN doesn't, you can't access them.

        2. bombastic bob Silver badge
          Devil

          Re: I don't care what the experts say....

          there are free IPv4 to IPv6 tunnels out there. I've been using he.net for a long time.

      2. sreynolds

        Re: I don't care what the experts say....

        Strange, my linux boxen seem to support this with kernel versions 3.x something. Something tells me there is less entropy in a single IP address rather than having a uniquely identifiable ip address for every freaking device.

        ip6tables -v -n -t nat --list POSTROUTING

        Chain POSTROUTING (policy ACCEPT 12 packets, 960 bytes)

        pkts bytes target prot opt in out source destination

        0 0 MASQUERADE all * wl+ ::/0 ::/0

        0 0 MASQUERADE all * tun+ ::/0 ::/0

        0 0 MASQUERADE all * ppp+ ::/0 ::/0

        0 0 MASQUERADE all * wg+ ::/0 ::/0

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't care what the experts say....

          NAT66 is possible - but not all systems allow it. pfSense for example allows prefix translation but not full NAT66.

          NAT66 implies the same issues of NAT44 - you'll need ALG or other configurations involving STUN etc. to make some protocols work. Under IPv6 some systems may not expect NAT and thereby may not work and could not be configured to work.

      3. Warm Braw

        Re: I don't care what the experts say....

        The interesting question is what the purported use of NAT in IPv6 would be...

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't care what the experts say....

          Maybe to prevent anyone on the Internet to initiate a connection with devices on your internal network ?

          1. Warm Braw

            Re: I don't care what the experts say....

            It's the stateful packet inspection that blocks the incoming traffic that's not associated with an established outgoing connection. The decision has already been made to forward or discard the packet before the address translation is applied. The presence or absence of NAT doesn't make any difference to the ability to filter traffic.

            Having said that, IPv6 addresses will probably make firewall configuration rather more verbose.

            1. Anonymous Coward
              Anonymous Coward

              "probably make firewall configuration rather more verbose"

              Or maybe not - a default block rule and then rules to open access for specific services instead of port forwardings. The lack of something like UPnP may make life more complex for people that need "transient" openings. I know UPnP may be bad - but I also think people forwarding/opening random addresses and ports because they don't know what they're doing is even worse.

              Dynamic prefixes may be a problem with firewall rules.

          2. bombastic bob Silver badge
            Devil

            Re: I don't care what the experts say....

            Maybe to prevent anyone on the Internet to initiate a connection with devices on your internal network

            true but a decent firewall (rather than some form of NAT) would do the same job, and probably with lighter resource requirements...

            Those firewall settings could be generic enough, basically block the usual things such as SMB, RPC, telnet, ftp, X protocol, VNC ports (unless you REALLY want that and I strongly discourage it), etc. as well as anything that shows up when you use 'netstat -an' on a windows box...

            [so yeah your average El Reg reader's firewall].

            A typical NAT router _could_ (and IMBO *should*) implement this out of the box.

        2. SImon Hobson Bronze badge

          Re: I don't care what the experts say....

          One use for NAT, or rather NPT (Network Prefix Translation, which would maintain 1-1 mapping of host address portion while changing prefix)) would be to allow multi-homing (as in multiple internet links) without needing to configure each device with usage policies - routing of outbound traffic being done by the NPT device.

          One example of where outgoing policy can be useful is for VoIP - route VoIP traffic via one connection, everything else via another. And note that one device might do both VoIP and other traffic (such as mail and web browsing).

          But NPT would still break "many things" - just not as well as NAT breaks many things.

        3. Anonymous Coward
          Anonymous Coward

          Re: I don't care what the experts say....

          So, 6to4 and 4to6 obviously allow interoperability between ipv4 and v6 networks, and is pretty stable for what 15 years now? Teredo (Bleh, speak not of it and use a VPN gateway).

          If you were only referring to 6to6 NAT, the best reason I have seen is client side failover or load balancing , with the HUGE caveat that you can expect some IPv6 native code to blow right up if you NAT it.

          That said, since most real traffic is to services built IPv4 code, there are plenty of services that fail to notice or explode. However, unless it's sanctioned in some future version of the spec, it's still mostly useless in the real world. There have been some overseas telcos that have been doing some weird ipv6 stuff though. I think they are a bad example though, as it's not transparent, and breaks things (in addition to the spec). That said the same carriers are also doing double or triple NAT on ipv4 too.

          1. Anonymous Coward
            Anonymous Coward

            "6to4 and 4to6 obviously allow interoperability between ipv4 and v6 networks"

            You need specific relays to make them work - if you are worried about people tracking your traffic having to go through a relatively few relays is the best way to be tracked.

      4. Alan Brown Silver badge

        Re: I don't care what the experts say....

        What you mean is there is no "private, internal" address NAT range like RFC1918 defines for IPv4

        that was deliberate

        You can certainly NAT IPv6 addresses if you're dermined enough to do so

        Why is it discouraged? Because NAT breaks a bunch of stuff in subtle and sometimes unpredictable ways.

        It may be relatively invisible across most of the western world but as soon as you're stashed behind 2 or more layesr of NAT - as frequently happens in many parts of the developing world - "helper protocols" start breaking down.

        In some cases you can find a million of more people behind double NAT layers and the fustercluckage becomes pretty bad. Trying to work arouns that breakage is the root cause of many of the "phone home" tunnels built into IOT appliances such as CCTV DVRcs that have destroyed network security on so many occasions.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't care what the experts say....

          Yeah, there are actually two whole scopes of non-public IPv6 addresses. One is supposed to still be globally unique, and the other allows for fully private local and overlay networks. You are just still not supposed to NAT them which means that you have to handle everything at a routing level, and you would need to VPN or tunnel the traffic across the public internet because your WAN router will drop them just like the IPv4 private ranges.

          Or at least they are supposed to, there have been cases in the past where misconfigured CPE and gateways leaked local traffic up their default route, leading to privacy issues.

        2. Jellied Eel Silver badge

          Re: I don't care what the experts say....

          Sometimes it can result in extra insecurity. So if you want secure CCTV DVR, build it from cameras and DVRs that cannot phone home. Sure it might mean Amazon won't know who's at your door, but criminals will find it harder to find out who's in, or out.

          Basically security devices should be on their own network, with heavy logging. Sure, it's perhaps less convenient than sending Google, Apple or Amazon your security alerts. A decent system should let you forward those to a proxy on the 'dirty' network, and basic archiving tools would let you do backups to an off-site DVR.

        3. sreynolds

          Re: I don't care what the experts say....

          I thought that internet address were 2000::/3 and the rest were link local and private.

          I remember reading someone, maybe it was in RFC 4193 that FC00::/7 prefix was good for "private" addresses. That is a *lot* of addresses - we are talking over 100 digits here.

          The problem is that if your ISP gives you a /64 prefix you cannot divide that down across different networks. Even a /56 is barely usable, so you at least want a /48 which you can break down into different networks.

          1. Jellied Eel Silver badge

            Re: I don't care what the experts say....

            I think you might be doing it wong.

            A /56 gives you 256 x /64s, which should be plenty for most networks. Also if you can filter, you can subnet a /64. So just configure a router to route /96s via different ports or VLANs, and see what happens. Some routers might complain about an invalid network, but I've done it a couple of times in the past.

            Luckily the Internet has developed around RFCs, and has advanced due to people breaking those 'rules'.

            1. tip pc Silver badge

              Re: I don't care what the experts say....

              A /56 gives you 256 x /64s, which should be plenty for most networks.

              IPv6 isn't geared to further subnet those /64's so you end up with 256 possible subnets that can each contain a gazillion addresses. Not very practical outside of consumer use cases.

              Also if you can filter, you can subnet a /64. So just configure a router to route /96s via different ports or VLANs, and see what happens. Some routers might complain about an invalid network, but I've done it a couple of times in the past.

              that'd be the way to do it, why would a router complain about that? are you referring to domestic routers given free to BB customers?

              why do I want my internal systems, routers, L3 links etc publicly routable? one trick would be to pick a subnet and null route it on the internet while using it internally, but then I'd need some kind of proxy or NAT to enable connectivity to the internet from that internal subnet.

              1. Anonymous Coward
                Anonymous Coward

                "Not very practical outside of consumer use cases."

                /56 assignements are for SMB/consumer cases, otherwise you can easily obtain a /48 with enterprise-level contracts (and even larger)- and you are not forced to subnet the /56 into only /64 - you can make for example /60s out of it and then subnet them again.

                Unless you are trying to use a consumer connection for a large enterprise I can't really see the issue.

                "that'd be the way to do it, why would a router complain about that?"

                Because IPv6 is not designed to work that way. For example SLAAC breaks.

                "one trick would be to pick a subnet and null route it on the internet "

                There are ULA prefixes you can use for such use without any need to null route them.

                "but then I'd need some kind of proxy or NAT"

                That's why IPv6 global addresses are publicly routable. After all what NAT does it exactly that - make an internal addresses publicly routable using tricks.

                The bottom line: IPv6 doesn't work like IPv4 - as long as you try to use IPv6 as if it was IPv4 with more addresses, you're going to look for troubles.

          2. Anonymous Coward
            Anonymous Coward

            "I thought that internet address were 2000::/3 and the rest were link local and private"

            No. There specific prefixes allocated for link-local and ULA addresses. There are also other prefixes allocated for specific use (i.e. multicast, documentation, etc.). And there is the Global Unicast Address allocations.

            All other prefixes are NOT ASSIGNED (yet) and MUST NOT be used - let's not repeat the mistakes done with IPv4 when someone started to use IPs they should never have used.

            "Even a /56 is barely usable,"

            It's up to 256 subnets - I would not call it "barely usable"

      5. Anonymous Coward
        Anonymous Coward

        Re: I don't care what the experts say....

        Only there are actually 3 baked into the IPv6 protocols, and 626 is still implementable at a technical level even if it breaks specification. So there is actually plenty of NAT, and one that exists but if you use you are the networking anti-christ.

      6. bombastic bob Silver badge
        Devil

        Re: I don't care what the experts say....

        no NAT for IPv6

        well there IS a spec but I have not heard great things about it nor widespread use (other than NAT-PT which is IPv6<->IPv4 and not what you were looking for, probably)

        https://datatracker.ietf.org/doc/rfc6296/

  3. b0llchit Silver badge
    Facepalm

    Networks are seldom private

    The research makes one point: never use local hardware addresses (MAC) as part of global addressing, simply because it is an information leak. But randomization of the local address part is highly overrated.

    The assumption of privacy with randomization is on rather shaky grounds because you can track based on behavior, regardless 4/6 protocol. In the IPv4 space you often share one single address. You can identify individual devices, even though there is only one one address, be means of behavioral patterns (like timing and access spread). The IPv6 prefix is not a secret. The rest is just noise, which can be ignored if you look at the traffic patterns. There is effectively no difference between IPv4 address and IPv6 prefix tracking. You can also use NAT in an IPv6 setting.

    But giving away local network information freely, with embedding the MAC address is, of course, a very bad idea.

    1. Anonymous Coward
      Anonymous Coward

      Re: Networks are seldom private

      Yeah, though a big difference is that much of that tracking happens higher up the protocol stack and more likely to be encrypted, where an IP header is visible in transit to everyone in the middle. The port and time analysis stuff is still a concern, but there have at least been efforts to mitigate that with less deterministic port assignment and sequence numbers etc. Protections mostly to limit MITM but also with privacy benefits.

  4. tip pc Silver badge

    yet another case for NAT

    IPv6 tried to bury NAT and actively discourages NAT

    see RFC 4864 which nicely details how IPv6 is designed to not use NAT

    https://datatracker.ietf.org/doc/html/rfc4864

    NAT would hide that IID behind the gateway public address, get a new public prefix and suddenly the IID is worthless.

    yes there is NAT for IPv6 but things like ipv6-ipv6 won't help as that just swaps the prefix and does nothing for the IID

    https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no-nat-for-ipv6-but-nat-still-exists/

    IPv6 still needs to mature.

    funny how its the big content providers like Google & Meta who are pushing ipv6 largely as they have the most to gain, plus they often have hardware in peoples homes so can always track the prefix anyway, which is not too dissimilar from the current arrangement in ipv4 but ipv6 is meant to be better but has issues.

    They will continue to find glaring issues in ipv6 as its adoption rises.

    newer is not always better.

    1. Yes Me Silver badge
      Big Brother

      Re: yet another case for NAT

      The whole thing is really not a concern. Privacy problems are overwhelmingly at the application level. I don't get 100+ spams each day because of revealing my MAC address to gmail. As NSA and their friends study my metadata, they would get nothing more out of my MAC address than they have anyway - who I exchange email with, which web sites I visit, what my Register pseudonym is, etc. My IPv6 /56 prefix or my IPv4 /32 tells them all they need.

      It's the weakest argument ever for NAT.

      1. tip pc Silver badge
        Big Brother

        Re: yet another case for NAT

        if you have a cheap smart watch that does Eui-64 for ipv6 then its possible to track you from AP to AP as you roam around, its the whole reason why premium vendors do MAC randomisation and the whole reason why EUI-64 was shunned. you don't have that problem with ipv4 regardless of the cost of the device using it.

        Dismissing it is irrelevant won't fix the problem, full NAT on IPv6 will.

        If they just added a full NAT implementation in IPv6 most people would have migrated.

        IPv6 was designed to not be interoperable with IPv4, they had the opportunity to build a migration path but went for the new shunning the old and we now have this mess.

  5. guyr

    Every molecule can have its own IP address

    Wasn't that the selling point of v6? If we have to randomize our v6 IP address on a daily/hourly basis to avoid tracking, doesn't that greatly diminish the value of having such an expansive address space? I guess if we can hide all that inside the ISP connection point (normally, an ISP-provided router), then we can just use NAT on all home devices and be done with it. As long as we can continue to use v4 inside the house for ease of use, and NAT that to v6 on the ISP router, that should cover the majority of use cases for home users.

    Professionals get paid to deal with these headaches, so I'm not too concerned about the hoops that they have to jump through with all this.

    1. tip pc Silver badge

      Re: Every molecule can have its own IP address

      Every molecule can have its own IP address

      the issue is that with the story in this article its trivial to determine which if those molecules belong to you even when you hand them over to someone else which is not meant to be the case.

      NAT'ing IPv4 to IPv6 is not trivial and effectively is proxying as the IPv4 packet & IPv6 packet are not compatible and needs rewriting. you could encapsulate an ipv4 packet within ipv6 if you wanted but that needs the other side to know about it so it can unpack it like when doing GRE or a VPN.

      https://en.wikipedia.org/wiki/IVI_Translation

      There are a number of different solutions, I've never used any and have no idea on their effectiveness or popularity.

      Its safe to say there are obviously limitations else we would not be writing about it and would all be on ipV6 if they where effective.

      if they just did a feature complete version of IPv4 NAT on IPv6 I think we'd all be using IPv6 by now.

      IPv6 has too many artificial limitations that have prevented adoption,.

      1. Tom 7

        Re: Every molecule can have its own IP address

        "NAT'ing IPv4 to IPv6 is not trivial" if that really is the case then I'm sorry, IPV6 WILL have to be re-written until it is.

    2. SCP

      Re: Every molecule can have its own IP address

      "If we have to randomize our v6 IP address on a daily/hourly basis to avoid tracking, doesn't that greatly diminish the value of having such an expansive address space?"

      An advantage of such an expansive address space is that your randomly chosen IP address is very very very very unlikely to collide with someone else's randomly chosen IP address. This would make the actual operation of any such system much more efficient since "re-try" events would be very rare.

    3. Anonymous Coward
      Anonymous Coward

      "Wasn't that the selling point of v6?"

      That ISPs non longer have enough public IPs for customers. This is now a problem for example in Europe. In other regions there could still be some IPs available, here new ISPs like Comcast Sky Italy are forced to use IPv6 because they can't simply get enough IPv4 addresses. Vodafone has started to put customers on CG-NAT, which hinders some services to work.

      "doesn't that greatly diminish the value of having such an expansive address space?"

      No. Even with the smallest /64 prefix you have 2^64 addresses to choose from. And there's also a huge number of prefixes.

      "As long as we can continue to use v4 inside the house for ease of use, and NAT that to v6 on the ISP router"

      That simply breaks a lot of things and doesn't work. Say you want to open Google search page. You type www.google.com and the browser resolves it with Google IPv4, creates an IPv4 packet and send it to the router as the default gateway. How could the router NAT it into IPv6? There's no service which given an IPv4 tells you what IPv6 it corresponds to, if any. Moreover some protocols have IP data inside their payloads - and need to know if they are talking IPv4 or IPv6.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Wasn't that the selling point of v6?"

        improperly manage public IPs considering the multitude of devices and virtual appliances that make 1 to many connections so easy to configure

    4. Alan Brown Silver badge

      Re: Every molecule can have its own IP address

      > Wasn't that the selling point of v6?

      No

      Whilst it LOOKS like you could do that the reality is that it's mean to be a very SPARSE address space accessed like a red/black decision tree and the address is as much a routing table as anything else

      This was the original intent of IPv4 before every IP address was shoehorned into being a device

      first octet = site, second octet = department, 3rd octet = internal network

      It was just like international dialling codes but for a network which had fewer than 5000 computers on it and IPv4 was only intended to be in operation for 5-6 years.

      IPv5 was utterly broken

      Ironically, the first draft of IPv4 HAD 128 bit addressing and was reduced to 32 bits specifically because it was a _temporary_ solution

      1. John Brown (no body) Silver badge

        Re: Every molecule can have its own IP address

        "Ironically, the first draft of IPv4 HAD 128 bit addressing and was reduced to 32 bits specifically because it was a _temporary_ solution"

        And in these forums, we are well aware of just how long a "temporary" solution gets used for. The Quicker and dirtier the hack, the longer it's likely to last :-)

  6. Charlie Clark Silver badge

    I'm not quite sure I understand

    While I do understand the information leak, the article doesn't make it clear to me how the tracker knows when it has a MAC address in the local part and hence to use this to track everything from that router. Is this done using a database for MAC addresses?

    As it is, although my router is using IPv6 to talk upstream, it's also using a 4 to 6 tunnel to do so because so much of the outside world is stil IPv4 only.

    But I also wonder if the bigger risk isn't being tracked, I think our consumer devices and own behaviour make it pretty easy to identify us whatever mitigation we try, but information about the network providing information for potential hacking.

    1. Jellied Eel Silver badge

      Re: I'm not quite sure I understand

      So the IEEE manages MAC addresses much the same way as IP addresses. EUI-48 assigns blocks to vendors (OUI- Organisationly Unique Identifier). So if you see that in an IPv6 packet, you can look up who probably made it.

      That can be handy if you know that vendor has vulnerabilities. Especially if vendors sub-divide their OUI block(s) by product line. Some vendors try to obfusticate this by randomly assigning the local portion of the MAC address, eg Apple. But you'd still know it was an Apple MAC based on the OUI.

      So basically it makes scanning for potentially vulnerable devices quicker and easier. Then once you've compromised one device, you can probe the internal network by looking at MAC or ARP caches, and have more targets.

      1. Charlie Clark Silver badge

        Re: I'm not quite sure I understand

        That's what I was thinking, thanks. As I said, I think this is probably a greater risk than that of being tracked.

    2. SImon Hobson Bronze badge

      Re: I'm not quite sure I understand

      You can spot an EUI64 address by seeing the FF:FE bytes in the address.

      1. Yes Me Silver badge

        Re: I'm not quite sure I understand

        Unless they are there by chance, of course, since the new standard simply requires a 64 bit pseudo-random number.

  7. Anonymous Coward
    Anonymous Coward

    "ISPs got into the habit of rotating IPv6 address"

    Good luck with dynamic prefixes and networks renumbering...

    The real problem is SLAAC - which should become deprecated - it's no surprise Google is trying to avoid DHCPv6 as much as it can.

    1. Yes Me Silver badge

      Re: "ISPs got into the habit of rotating IPv6 address"

      SLAAC is not a problem and there isn't a chance in hell that it will be deprecated. Sites that want control of user devices seem to prefer DHCPv6, but SLAAC is ideal for all kinds of drop-in scenarios. Such as most scenarios where the o/s is Android.

      (I am no apologist for Android's choice, and I note that iOS does claim both SLAAC and DHCPv6 support.)

  8. DJV Silver badge

    Vermin IPv6

    "Depending on your ISP, router, and so on, you might find that on your home network, your laptops, phones, and other devices have their own local IPv6 addresses"

    I'm with Vermin Media - I suspect their planned date for switching to IPv6 coincides with the date of the heat death of the universe...

    1. Alan Brown Silver badge

      Re: Vermin IPv6

      not just Vermin

      A number of years ago OFCOM stated that they would step in and mandate IPv6 in retail ISPs (or they would not be allowed to call what they sold "Internet") when IPv6 hit critical mass

      When it hit 32% in the UK I asked them when they planned to publish a roadmap for that mandate. Ofcom refused to answer the question. Perhaps the Competition and Markets Authority would be a better arbiter of the change

      There's a thread on TalkTalk's forums about IPv6 ("When will Talktalk offer IPv6") that's been active since 2007 and IPv6 questions there dating back to 2005.

      TalkTalk(CPW) have had substantial IPv6 assignments since 1998 and ISP-sized chunks since 2001

    2. Anonymous Coward
      Anonymous Coward

      Re: Vermin IPv6

      Can't be more than a few decades away. After all, Vermin Galactic have finally flown with 'amateur astronauts' on board... although the next launch has been delayed until late-2022 (or 'heat death of the universe', whichever comes sooner) because of, erm, a 'Planned Vehicle Enhancement and Modification Period'

      (using old Virgin-brand condoms as o-ring seals was probably not a good idea)

  9. Anonymous Coward
    Anonymous Coward

    Changing user IPv6 prefixes

    Which ISPs change their customers IPv6 prefixes? Why would a customer want that?

    The article says that it’s a privacy feature.

    I wonder if it’s so that they can charge extra for a “static” IPv6 prefix.

    1. Anonymous Coward
      Anonymous Coward

      "I wonder if it’s so that they can charge extra for a “static” IPv6 prefix."

      Probably. Other reasons:

      1) They use the same provisioning system they had for IPv4 with little changes.

      2) They don't want customer run services from their systems (unless they pay)

      3) They don't understand IPv6 and don't understand what renumbering networks means

      I guess they never thought about privacy.

      There's also the issue of the prefix size - because subnetting depends on it. Some try to charge extra for prefixes larger than /64 too.

      1. SImon Hobson Bronze badge

        Re: "I wonder if it’s so that they can charge extra for a “static” IPv6 prefix."

        2) They don't want customer run services from their systems (unless they pay)

        This will be the main reason. There are no technical benefits, just the ability to charge extra for a fixed prefix - just like many ISPs charge extra for a fixed IPv4 address.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I wonder if it’s so that they can charge extra for a “static” IPv6 prefix."

          And with a single public IP you can do little - with a fixed IPv6 prefix you can do anything - the real limitation becomes just the available bandwidth (and your power bill...)

          1. The Basis of everything is...

            Re: "I wonder if it’s so that they can charge extra for a “static” IPv6 prefix."

            Assuming that other people also have IPv6. Did a small project with some overseas techies that needed some small servers for a few weeks. Figuring this will be easy as everyone out east already has IPv6 just run up a few VMs on the lab server and sorted. Oh well, at least Plan B worked....

  10. John_3_16
    Facepalm

    YAWN...

    Really thought this was a game changer till I read it. What possible good is it to back trace 1,000,000 plus networks to find a TV with 1 identical byte of info both days to prove the connecting computer/tablet/phone might be on the same network? How do you monetize that?

    My system is VPN protected. Right now it double hops through Cleveland & New York. Both have multiple services available that are assigned to control traffic. My traffic flows through my VPN firewall then through my system firewall & finally through my router firewall. Testing my privacy has shown all is dark on the hardware side & the few identifiers available after the double hop are shown as weakness except for the fact the testing site does not know that bit of info is all false.

    Can't see how this byte of info can possibly hurt me. I still have contact with my banks, investment firms & medical locations. I do need to pass extra security 2FA but it is worth it knowing they can recognize that I am in New York & not at home; NOT. Privacy is possible but you need to work for it. YAWN... Bedtime. [̲̅$̲̅(̲̅▀̿Ĺ̯▀̿ ̿)̲̅$̲̅]

    1. tip pc Silver badge

      Re: YAWN...

      My system is VPN protected. Right now it double hops through Cleveland & New York. Both have multiple services available that are assigned to control traffic. My traffic flows through my VPN firewall then through my system firewall & finally through my router firewall.

      That’s 1 system on your home network that has a vpn installed on it.

      Your rfc1918 address is actually NAT’d so the end point (thereg for example) sees you originating from a public ip that should geographically be in New York when actually your sourcing from Kansas.

      In the world of ipv6 they have a concept of nat’ing the prefix so that will look like it’s from new York but your host portion will stay what it is on your LAN. Your ISP’s router will see that host portion of your address to. The /64 typically assigned to home users is sufficiently large that what ever address assigned at random by your router to you can be treated as being globally unique.

      ISP’s seeing traffic traversing their network have to log those addresses For a minimum amount of time. Suddenly your ipv6 vpn traffic will to a high degree of certainty be able to be linked back to your isp and therefore to you.

      If the prefix and host part of your address was NAT’d like in ipv4 you’d retain that anonymity until you logged into something which would link it back to you but not your location/ originating ip.

      Obfuscating the prefix ups the complexity of tracking to levels approaching 5 eyes. But if you’ve a browser open and your vpn craps out then your public host ip will be seen by more than just the ups in the time it takes for you to rejoin.

      It’s long enough for FB, google, M$, Amazon etc to get your public host address and link your subsequent vpn address to it.

      At that point you may as well not bother.

  11. -v(o.o)v-

    Funny that they didn't understand the documentation prefix 2001:db8:: and listed it as 2001:db80:: (is really 2001:0db8::)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like