Linux/solving privacy issue until RFC 3041 is supported byvanilla kernel

Sat, 08 Feb 2003 11:05:29 -0800 

Hi,

sure many of you using already IPv6-autoconf Linux *clients* in
combination with an IPv6 router distributing router advisories.

Normally, clients uses their MAC address to generate the IPv6 address
with the received prefix. Until RFC 3041 is supported by vanilla or
by-distributor-patched kernels I found a simple solution (sure not
new) to hide the MAC addresses from the IPv6 Internet:

Overwrite MAC address of interface on startup.
It worked here on Linux kernel 2.4 (2.4.18-series of Red Hat Linux,
sure on others too).

On RHL, this can be simply setup by adding following configuration
line:

# more /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.0.0.255
IPADDR=10.0.0.2
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes

IPV6INIT="yes"
MACADDR="02:00:00:00:00:01"  # set MAC address manually


Perhaps other distribution's initscripts contain similiar support.


Use a MAC token like you want, but take care about the first byte
(use "02", it contain the universal/local and unicast/multicast bits).

All others are subject of randomness.

Note: MAC address can only be set if device is down.

After up again, on receiving next IPv6 router advertisement the new
MAC was used for generation of the client's IPv6 address, e.g.:

# ip -6 addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    inet6 ::1/128 scope host
3: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast
qlen 100
    inet6 fe80::ff:fe00:1/10 scope link
    inet6 3ffe:ffff:0123:4567:0:ff:fe00:1/64 scope global dynamic
       valid_lft 29sec preferred_lft 19sec


So tracking your MAC address and NIC hardware is no longer working
unlike at the moment, see e.g. here
http://www.ipv6.bieringer.de/stats/distribution-ouitype/analog.html
(IPv6-only!)


On request (->send an email) I will create (for RHL compatible
systems) a patch for "/etc/sysconfig/network-scripts/ifup" or enhance
"/etc/sysconfig/network-scripts/init.ipv6-global" to overwrite
(toggled by a new config option) all MAC addresses of physical
devices with random local generated ones (so on each boot, another
interface-identifier will be generated).


Hope this helps to increase some kind of IPv6 privacy for the moment.

        Peter

-- 
Dr. Peter Bieringer                     http://www.bieringer.de/pb/
GPG/PGP Key 0x958F422D               mailto: pb at bieringer dot de 
Deep Space 6 Co-Founder and Core Member  http://www.deepspace6.net/
---------------------------------------------------------------------
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]

Reply via email to