Thursday, October 25, 2012

Understanding ipv6 privacy extensions in SLAAC networks


IPv6 allows for the hidding of your  computed ipv6 / eui64 address from any external objects. With ipv6 privacy extensions, a remote site will not be able to determine your host machine/nic type just by the eui64 addressing.

The eui64 addressing is simple to compute. And as the name suggests, it crafts the  bottom half of the 128bit  ipv6 address ( 64bits ).  With SLAAC, your router/firewall offers the top half of the 128/bit address  which is the 1st 64bits.  The easiest way to remember how this process works;

1: take you mac-address &  within the 6bytes hex values, insert "FFFE" in the middle of your mac-address
e.g

AA:BB:CC:DD:EE:FF  would now become  AA BB CC FF FE DD EE FF


2: Now find the 1st octect to the far left of this value and take bit  #7 and invert it. That mean if the bit is a 1 make it a 0 or if a 0 make it a 1

So using the above  fictitious mac-address, I will now have crafted the eui64  address of A8 BB CC EE FF DD EE FF.

Lastly the router  and it's  ipv6 RA ( route advertisement ) will give you the  network prefix(s) that you belong on, &  creating your interface  ipv6 128bit addressing.


Here's my  computer  ipv6 address for en0

waffen01~ kfelix$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
        ether 40:6c:8f:03:18:c4
        inet6 fe80::426c:8fff:fe03:18c4%en0 prefixlen 64 scopeid 0x4
        inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
        inet6 2001:414:1::426c:8fff:fe03:18c4 prefixlen 64 autoconf
        inet6 2001:414:1::f149:7585:555:b340 prefixlen 64 autoconf temporary
        inet6 2001:414:10::426c:8fff:fe03:18c4 prefixlen 64 autoconf
        inet6 2001:414:10::97d:3bd2:72a0:7980 prefixlen 64 autoconf temporary
        inet6 2001:414:11::426c:8fff:fe03:18c4 prefixlen 64 autoconf
        inet6 2001:414:11::b8b4:46a3:70db:a938 prefixlen 64 autoconf temporary
        media: autoselect (100baseTX <full-duplex>)
        status: active


note: I bold the  ipv6 address that has eui64 computed addresses.


Notice I'm on three unique  ipv6 networks 2001:414:1::/64    ; 2001:414:10::/64  ;  2001:414:11::/64  and each network has 2 unique ipv6 address. One being my eui64 computed address based off my NIC's mac-address and the other one being my  ipv6 privacy ipv6 address which is randomly created.

Now if I should go to a website or use anything external to my networks, the  privacy extended ipv6 address will be used.

e.g ( a simple  ssh to a remote ipv6 cisco router )

waffen01~ kfelix$ ssh cisco@2002:100::2

Password:

ccie02>show user

    Line       User       Host(s)              Idle       Location
*194 vty 0     cisco      idle                 00:00:00
                                                 2001:414:1:0:F149:7585:555:B340
  Interface    User               Mode         Idle     Peer Address
  Se0/0/0                         Sync PPP     00:00:02 1.1.1.1

ccie02>



You notice my  address that was used is the ipv6 private one? and not the eui64 computed address?


I hope this helps with understanding ipv6 privacy extensions & how it can help ensure security by privacy. Read more about this security features on the rfc website readhere

If your too lazy to compute the address or want to confirm the address, this handy site has a eui64 computer

http://www.kame.net/~suz/gen-ula.html  :)


FWIW:  To disable privacy extensions

linux


echo 2 >/proc/sys/net/ipv6/conff/eth0/use_tempaddr

macosx

sudo sysctl -w net.inet6.ip6.use_tempaddr=0

sysctl -a  net.inet6.ip6.use_tempaddr





Are you ready for ipv6 ? I can assist in ipv6 migration strategies and network design for ipv6.

Ken Felix
kfelix " at " hyperfeed.com
Freelance Security/Network Engineer

 

2 comments:

  1. FWIW OpenBSD as of 5.1 does NOT support privacy extensions

    ReplyDelete
  2. OpenBSD and MACOSX only seems to support 9 prefixes

    kfelix-MacBook:~ root# ifconfig en0
    en0: flags=8863 mtu 1500
    options=2b
    ether aa:bb:cc:dd:ee:ff
    inet6 fe80::a8bb:ccff:fedd:eeff%en0 prefixlen 64 scopeid 0x4
    inet 192.168.110.2 netmask 0xffffff00 broadcast 192.168.110.255
    inet6 2002:100::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:101::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:102::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:103::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:104::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:105::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:106::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:107::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    inet6 2002:108::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
    media: autoselect (100baseTX )
    status: active

    ReplyDelete