[sdnog] Temporary IPv6 Address
Nishal Goburdhan
nishal at controlfreak.co.za
Wed Jan 28 14:05:58 SAST 2015
On 28 Jan 2015, at 10:28, Sara Alamin <sara.alamin at sudren.edu.sd> wrote:
> Hi all,
> I want to ask about the Temporary IPv6 Address. If someone can help me to understand this:
> What is Temporary IPv6 Address? How it is generate? How can I have more than one Temporary IPv6 address?
> Also, why when I check the “what is my IP” websites they show me the Temporary one even If I have static or DHCP address?
> Thanks...
hi sara,
the temporary address is just that; a temporary IPv6 address, that's auto-configured, and in use by your network device, for a set period of time, while you are connected to a particular network, and expires afterwards (or if you reconnect).
first, remember that an IPv6 address has two components; the network + host components. for auto-configured/dynamic allocated addresses, the host component of the address is always 64bits. there are two common ways to hand out dynamic IPv6 addresses - SLAAC (which, for a long time, was the de-facto standard) and DHCP6. loosely speaking, the SLAAC process took your 48bit mac-address (say: 00:11:22:33:44:55) and split this on the 24bit boundary; added a bit-complement, and FF:FE to it. so using the example mac-address from earlier, you would get something like 02:11:22:FF:FE:33:44:55. that's a 64bit (we call it a modified EUI64) address; and that becomes the basis for the IPv6 address that your host would use.
note - i didn't explain the entire process in detail, and you can find more info here: http://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64 - understand though, that there is some function that is used to convert your 48 bit mac-address to a 64 bit number for use in the IPv6 address computation process - that's the important bit.
now, let's say you're at at home, and the network that you connected to is 2001:db8:1cec:0ffe::/64. to get your complete IPv6 address, your device would just need to append the EUI64 address to the network address; that would give you: 2001:db8:1cec:0ffe (the network bit) and 0211:22ff:fe33:4455 (your host) = 2001:db8:1cec:0ffe:0211:22ff:fe33:4455. that would then be the address you used, while connected to that particular network (your home in this case)
now, let's assume that you move networks (you go to work). you still have the same laptop you used at home, with the same network card (and hence the same mac-address). but the network that you connect to in your home, has a different network prefix, say: 2c0f:fec8:1234:5678::/64
because your mac-address (and hence EUI64) hasn't changed, it's easy to work out what your new IPv6 address will, in the new network: that's: 2c0f:fec8:1234:5678 (the new network) and 0211:22ff:fe33:4455 (your EUI64 address) = 2c0f:fec8:1234:5678:0211:22ff:fe33:4455 = your IPv6 address at work.
so now you go to Solitaire, and use their public-wifi. their network prefix is: 2001:1:2:3::/64. since your device hasn't changed, your IPv6 address on their network, while you are connected there, will be: 2001:1:2:3:0211:22ff:fe33:4455.
spot the problem? see how easy it is to identify that this was the same person (well, the same network card) that went to three different locations, just by looking at the last 64bits of the address? so, it's a really a privacy issue; by knowing someone's mac-address you can collect lots and lots of data about where they have been, what they've visited, etc...
temporary (or privacy addresses as they are sometimes called), are a solution to this; your operating system randomly generates an 64bit identifier for you to use, as the base for your "host" address. depending on your operating system, this can last 1hr, or 1day; and it can be changed by most modern operating systems. for example, on my laptop, i can see:
net.inet6.ip6.use_tempaddr: 1
net.inet6.ip6.temppltime: 21600
net.inet6.ip6.tempvltime: 86400
...which basically tells my laptop to use/generate a temporary address, and use it for 21600 seconds (6h), with a maximum lifetime validity of 86400 seconds (1d). those are non-standard values; it's likely i was experimenting with something.
my experimental Win7 VM shows me:
C:\Users\Nishal>netsh interface ipv6 show privacy
Querying active state...
Temporary Address Parameters
---------------------------------------------
Use Temporary Addresses : enabled
Duplicate Address Detection Attempts: 5
Maximum Valid Lifetime : 7d
Maximum Preferred Lifetime : 1d
Regenerate Time : 5s
Maximum Random Time : 10m
Random Time : 0s
so how do these work? when you connect to something, the connection from your side, is *sourced* from your temporary address. that is why your "temporary" address showed up, when you connected to the website above, because the remote side saw this (your temporary address) as the connection-source; and this is what they log. and, because this temporary address is randomised, and changes over time, it's not really possible to track you, just by using your IPv6 address.
you should still have your regular modified EUI-64 SLAAC address on the interface as well. that's just not used to source your connections, but, it's used for hosts that may need to initiate a connect to you, for some reason. remember that with IPv6, you can have multiple addresses on the same interface at the same time.
> السلام عليكم
> أريد أن أسأل عن عنوان الانترنت للإصدارة السادسة المؤقت(Temporary IPv6) اذا كان شخص ما يمكن أن تساعدني على فهم هذا:
> ما هو هذا العنوان؟ كيف يتم توليده؟ كيف يمكن أن يمتلك الجهاز أكثر من عنوان؟ ولماذا عندما أتحقق من مواقع " what is my IP " يظهر احد هذه العناوين الموقتة حتى وان كان مسند لدي عنوان ثابت (static) أو DHCP؟
>
> شكرا .....
tamaam ?
--n.
More information about the sdnog
mailing list