Threat Level: green Handler on Duty: Scott Fendley

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Enabling Privacy Enhanced Addresses for IPv6

Published: 2011-06-01
Last Updated: 2011-06-02 13:26:33 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique "cookie" identifying your system.

As a result, RFC3041 introduces "privacy enhanced" addresses which will change and are created by hashing the MAC address. Of course, each operating system has its own way to enable privacy enhanced addresses.

Windows 7:

You can use "netsh" to enable and configure privacy enhanced addresses. Use

netsh interface ipv6 show privacy 

to query the status, and

netsh interface ipv6 set privacy state=enabled 

to enable it. In my testing, privacy enhanced addresses were enabled and I wasn't actually able to disable them (a possible bug?).

OS X:

OS X uses the sysctl command to change various kernel parameters, including privacy enhanced addresses. By default, EUI-64 is used.

To enable, run 

sudo sysctl -w net.inet6.ip6.use_tempaddr=1

and cycle the interfaces (ifconfig en0 down; ifconfig en0 up). However, to have this setting survive a reboot, create a file called /etc/sysctl.conf and add the line:

 

net.inet6.ip6.use_tempaddr=1

 Linux:

as root, similar to OS X, update the respective /proc entries

echo 1 > /proc/sys/net/ipv6/conf/all/use_tempaddr
echo 1 > /proc/sys/net/ipv6/conf/default/use_tempaddr
echo 1 > /proc/sys/net/ipv6/conf/eth0/use_tempaddr

Linux uses an /etc/sysctl.conf file, just like OS X, to make these changes persistent during reboots.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

5 comment(s)
Cisco Security Advisory: Default Credentials for root Account on the Cisco Media Experience Engine 5600 - http://www.cisco.com/warp/public/707/cisco-sa-20110601-mxe.shtml
Cisco Security Advisory: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client - http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
Cisco Security Advisory: Default Credentials Vulnerability in Cisco Network Registrar - http://www.cisco.com/warp/public/707/cisco-sa-20110601-cnr.shtml
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified IP Phones 7900 Series - http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
Wireshark 1.4.7 and 1.2.17 Released - http://www.wireshark.org/news/20110531.html
Diary Archives