Re: Windows 11 now implements RFC 7217 (stable privacy addresses)!

2022-12-13 Thread Douglas Fischer 
Good news!
Good perspectives for the future...

But this thread remembered-me about RFC 3021 and Windows... Since December
2000.

https://social.technet.microsoft.com/Forums/en-US/6da37a2d-6884-4c3c-bdd5-1b8356edfced/windows-102019-non-compliant-with-rfc-3021-ipv4-31-subnet-mask?forum=winserverPN

Em ter., 13 de dez. de 2022 03:45, Fernando Gont 
escreveu:

> Folks,
>
> After over 10 (yes, *ten*) years, we have finally addressed
> security/privacy issues in the generation of IPv6 stable addresses in
> most popular operating systems.
>
> The traditional scheme/algorithm to generate stable IPv6 addresses with
> SLAAC required that the underlying MAC address be employed to generate
> the Interface Identifier. That is, the underlying MAC address would be
> embedded in the lower bits of an IPv6 address.
>
> This scheme allowed for host-tracking (since MAC addresses are usually
> globally-unique), address scanning (since addresses will follow specific
> patterns) and a number of other issues.
>
> In 2011, I submitted an IETF Internet-Draft proposing a scheme for
> generating stable addresses with SLAAC, meant to replace the traditional
> scheme. The scheme could be summarised and simplified as: Interface_ID =
> Hash(Prefix, Secret). Thus, interface identifiers would be stable within
> the same subnet, but vary across subnets.
>
> [Replacing the traditional scheme with this new scheme was anything but
> easy -- if you're curious, please check the "IPv6 Addressing" section in
> <
> https://www.si6networks.com/2020/08/06/a-brief-history-of-recent-advances-in-ipv6-security-part-i/>
>
> ]
>
> Over time, popular operating systems and packages adopted the proposed
> algorithm: the Linux kernel, NetworkManager, OpenBSD's slaacd, MacOS,
> etc. Eventually, virtually every popular OS had adopted the scheme
> except Windows.
>
> Based on a recent note by Brian Carpenter, I ended up testing Windows
> 11, and I can confirm that it does implement RFC 7217 / RFC 8064!
>
> Therefore, e.g. if multiple prefixes are employed on a subnet, the
> stable addresses for each of such prefixes will employ a different
> Interface Identifier, thus avoiding the security/privacy issues
> discussed above -- this is really good news!
>
> Unfortunately, Windows still generates temporary addresses with the
> algorithm specified in RFC 4941, thus resulting in all temporary
> addresses for a given interface employing the same Interface Identifier
> (!). This problem has been addressed in RFC 8981... but it's
> implementation is not yet widespread, yet (it has been incoporated in
> e.g. the Linux kernel, though).
>
> I just hope it doesn't take Windows and others yet another 10+ years to
> implement RFC 8981, to finally address the remaining security/privacy
> issues in IPv6 address generation!
>
> [Original article with screenshots:
>
> https://www.linkedin.com/posts/fernandogont_after-over-10-yes-ten-years-we-have-activity-7008316664207290368-Wcto
> ]
>
> Thanks!
>
> Regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fg...@si6networks.com
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
>

Windows 11 now implements RFC 7217 (stable privacy addresses)!

2022-12-12 Thread Fernando Gont 

Folks,

After over 10 (yes, *ten*) years, we have finally addressed 
security/privacy issues in the generation of IPv6 stable addresses in 
most popular operating systems.


The traditional scheme/algorithm to generate stable IPv6 addresses with 
SLAAC required that the underlying MAC address be employed to generate 
the Interface Identifier. That is, the underlying MAC address would be 
embedded in the lower bits of an IPv6 address.


This scheme allowed for host-tracking (since MAC addresses are usually 
globally-unique), address scanning (since addresses will follow specific 
patterns) and a number of other issues.


In 2011, I submitted an IETF Internet-Draft proposing a scheme for 
generating stable addresses with SLAAC, meant to replace the traditional 
scheme. The scheme could be summarised and simplified as: Interface_ID = 
Hash(Prefix, Secret). Thus, interface identifiers would be stable within 
the same subnet, but vary across subnets.


[Replacing the traditional scheme with this new scheme was anything but 
easy -- if you're curious, please check the "IPv6 Addressing" section in 
 
]


Over time, popular operating systems and packages adopted the proposed 
algorithm: the Linux kernel, NetworkManager, OpenBSD's slaacd, MacOS, 
etc. Eventually, virtually every popular OS had adopted the scheme 
except Windows.


Based on a recent note by Brian Carpenter, I ended up testing Windows 
11, and I can confirm that it does implement RFC 7217 / RFC 8064!


Therefore, e.g. if multiple prefixes are employed on a subnet, the 
stable addresses for each of such prefixes will employ a different 
Interface Identifier, thus avoiding the security/privacy issues 
discussed above -- this is really good news!


Unfortunately, Windows still generates temporary addresses with the 
algorithm specified in RFC 4941, thus resulting in all temporary 
addresses for a given interface employing the same Interface Identifier 
(!). This problem has been addressed in RFC 8981... but it's 
implementation is not yet widespread, yet (it has been incoporated in 
e.g. the Linux kernel, though).


I just hope it doesn't take Windows and others yet another 10+ years to 
implement RFC 8981, to finally address the remaining security/privacy 
issues in IPv6 address generation!


[Original article with screenshots: 
https://www.linkedin.com/posts/fernandogont_after-over-10-yes-ten-years-we-have-activity-7008316664207290368-Wcto 
]


Thanks!

Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494