Introduction to IPV6: Stable Privacy Address.

CCNA 200-301

CCNA 200-301

CCNP Enterprise

CCNP Enterprise

CCNP Security

CCNP Security

CCIE Enterprise Lab

CCIE Enterprise Lab

CCIE Security Lab

CCIE Security Lab

CCNP Service Provider

CCNP Service Provider

CCNP Data Center

CCNP Data Center

CCNP Collaboration

CCNP Collaboration

CCIE DC Lab

CCIE DC Lab

ic_r
ic_l
Introduction to IPV6: Stable Privacy Address.
images

This article mainly introduces the Stable Privacy Address, which has been introduced and can be used in the kernel-4.4 version and is closed by default. But this type of address has some benefits. SPOTO will involve some IPV6 knowledge, and help millions of candidates to learn and know the IPV6.

Two common address types

1. Global Unicast Address

This address is similar to IPV4's public address and communicates with IPV6 servers on the global network. This type of address is unique in the world. The address format mainly includes the following parts: 48-bit Global Routing prefix and 16-bit subnet ID and a 64-bit Interface ID. In general, for stateless address allocation, 48+16 subnet id is called prefix.

2. Link-local address

This address is mainly used to communicate on the local link, a relatively small range, similar to the LAN, the packets sent by these addresses cannot be forwarded by the router, usually some ICMPv6 packets, the first 16 bits of this address are The next 48 bits of FE80 are set to all 0s, followed by an interface id (64bit), which can also be understood in the following format.

The above two addresses are the two most commonly used addresses in the IPV6 system. You can see that a more important common part is the 64-bit Interface ID. This article focuses on the generation of an Interface ID.

Stable Privacy Address introduced

In general, the more commonly used methods for generating the interface id are EUI-64 and randomly generated as mentioned in Privacy Extensions for Stateless Address Autoconfiguration in IPv6" [RFC4941].

The method of EUI-64 is more traditional, but has some disadvantages:

1. Since the resulting interface identifier is constant, the resulting IPV6 address can be tracked across multiple networks to affect user privacy.

2. Since embedding the underlying link layer address identifier in the interface will result in a specific address pattern, this mode may be exploited by an attacker to reduce the search space when performing an address scan attack [ ipv6-recon ].

3. Embed the underlying hardware address in the interface, the identifier leak may introduce an attack

4. A change in the hardware address will result in a change in address.

Since the current traditional scheme has drawbacks, there will be some new methods. This is the more stable address to be introduced. The focus is on the generation method of interface id. The goal of designing this method is:

1. In the same subnet, the allocation gets the same prefix, and the interface id remains stable. It can be said that a prefix has an interface id. Under the same subnet and the same prefix, the same interface id is generated.

2. Configured as a different prefix, the interface id must be changed, which means that giving two addresses generated by the methods specified in this document must be difficult for an attacker to know if the address has been generated by the same host.

3. It is very difficult for external devices or attackers to predict what identifiers are generated.

4. Depending on the implementation, the interface id has nothing to do with HW mac.

5. This method is only an alternative method based on hardware to generate the interface id method. That is, this document has no objection or has eliminated other interface id generation methods. It can be applied to all SLAAC configurations stably (that is, non-temporary). ) IPv6 addresses, including global, link-local, and unique native IPv6 addresses.