Where's All The Outrage About The IPv6 Privacy? 259
SyntheticTruth writes "It seems the specs for the IPv6 standard use the 48-bit NIC address as part of the unique IP address, which can be used to trace packets back to the user's computer. " The story is asking why people
don't seem to care about something which is gonna certainly raise privacy concerns.
Re:this guy obviously has a huge chip on his shoul (Score:1)
Re:Ignorance of IPv6 is amazing! (Score:1)
ARP (Score:1)
This reminds me of the logic in the Coffee RFC ( http://www.ietf.org/rfc/rfc2324.txt ) : "HTCPCP is based on HTTP. This is because HTTP is everywhere. It could not be so pervasive without being good. Therefore, HTTP is good. "
Flawed logic.
On to the technical side:
Since 2^128 is a ludicrously large number, and since we can get by on 2^64 (another ludicrously large number) of IP addresses, they have simply stuck the MAC address in the remaining bits (my interpretation).
Why is this not a problem?
You can always find someone's MAC address if you use an ARP request across an IPv4 network.. Heck, it's how IP works! You need a static address (like the MAC addresses), and you need a logical address (like the IP addresses). There's even a higher abstraction, that of the domain name.
Why is this good?
By including the MAC addresses in the header, you can (hopefully) reduce a bit of router load, make transport of packets easier and more logical from the code side, reduce the incidences of packet spoofing (maybe). This is very different from a "machine fingure print" that is stuck in say an MS Word document. How so? There's no need for a document to have an ID that tracks back to the computer that made it, while there is a very logical reason for network cards to have MAC addresses. Have any of you read the IEEE specs for Ethernet packet transmissions? Yes, MAC addresses have been "visible" for a long time already. It's how network works.
Now, I don't think dialup people will be affected, as they are networked a different way (ie: not via MAC addresses). The same holds true for ATM and ISDN (which use different underlying network designs).
Conclusion:
This is as much a privacy concern, as your own licence plate number is. "Oh, no! They can track where I drive, where I shop, what movies I see, whose houses I visit!!"
Re:IPv6 and privacy (Score:1)
If your MAC address is embeded in your IP number, and the the Domain name of your IP address is also embedded in your IP address, how could it be any easier to trace you?
For all you AC posters, how bout same agents seizing all the sys logs of /. which_already_record your IP address.
- mourning the late great 4th Amendment.
Traceability of IP Addresses (Score:1)
they aren't authenticated. While it is possible
to "trace" an IP address to its source in real-
time in some circumstances, doing so is nowhere
nearly as simple as you're making it out to be.
The obvious issue here is address spoofing, since
nothing prevents an attacker from sending out
a packet with an arbitrary source address. While
there are issues with doing "full duplex" spoofed
transactions (the Internet will normally route the
responses back to their true source), this is
not an unsolveable technical problem.
There has been work done in the recent past to
faciliate traceability of unauthenticated IP
packets. The insight is that you can trust the
routers (at some level in the routing hierarchy).
The routers can identify and cache the interface
on which each distinct IP address arrives. You
then just need a recursive query protocol to
trace the address backwards hop-by-hop until you
get a reasonable approximation of where the
address entered the system.
But if the point that you're making is that the
privacy impact of IPv6 address assignment schemes
are irrelevant because you have no privacy NOW,
I agree wholeheartedly. Anonymous forwarding/
proxy systems are the way to go; the amount of
work it takes to make a truely anonymous network
is significant, and neither IPv4 nor IPv6
does anything to address that.
Re:Let me place your foot in your mouth (Score:1)
But let me just say I don't know for certain, but it really seems to me that you don't know that you don't know. Got that?
why can't we all just get along, d00d?
cheers,
-o
Re:Let me place your foot in your mouth (Score:1)
Re:Let me place your foot in your mouth (Score:1)
you're probably thinking of rarp.
Street address (Score:1)
The school I went to used to use room-number as your address. Privacy concerns led to them switching to a mix-and-match DHCP randomization that decoupled names from rooms. Although annoying, it was probably a good thing.
--Joe--
MAC Addresses - where they come from (Score:3)
Like IP addresses there is an area in the address space set aside for private use. It is possible, if not entirely sane, to reconfigure an entire LAN... Don't laugh, I've heard of people doing this! I can't remember the rules off hand though...
Modifying MAC addresses is really simple not matter what age of NIC you have. Most NICs store their MAC address in a small lump of EEPROM on older cards this is just plain old PROM.
When a driver starts up it gets the ethernet address from the PROM and loads it into a set of station address registers in the NIC. There is no obligation for the driver to load the address it gets from EEPROM or even for there to be an EEPROM! This feature is regularly exploited by embedded systems with ethernet which store the MAC address in FLASH or some other multi-use NV storage to save money.
What I'm getting at is that it would be really, really easy(if Linux doen't do it already) to allow users to specify a new ethernet MAC address if they felt paranoid. Given the ratio of address space to LAN size you could even produce random MAC addresses at startup if you were paranoid enough.... Of course there are smarter mechanisms for doing this as other posters have pointed out.
If anyone has a burning desire to have a very small amount of official ethernet address space then drop me a line and I'll see what I can do (HW manufacturers only!)
Re:I'll give you $10 million if you can find me! (Score:1)
-davek
Re:Toasters (Score:1)
Re:Question.. (Score:1)
Re:Oh, the horror! (Score:1)
Wouldn't this break filtering network switches? (Score:1)
A switch is a smart hub that only forwards the packets to the connector where the destinator sits, rather than broadcasting it to all connectors like a dumb hub would do.
Now, how does the switch find out where which computers are connected? Easy: it looks at the originating MAC addresses of the that come in through the various ports. For example if a packet singed with the MAC address 01:02:03:04:05:06 came in on connector 7, the switch would know that the computer with that address sits at that connector. If later on the switch got a packet intended for 01:02:03:04:05:06, it would know that it should forward it to connector 7.
However, obviously this only works if the first communication comes from the machines, rather than going to it. Fortunately, for IPv4, this is always the case. Indeed, suppose that the machine at 10.0.0.1 wants to talk to 10.0.0.2. Before being able to open the connection, 10.0.0.1 must find out the MAC address of 10.0.0.2. It can find this out using the ARP protocol. This protocol basically consists of sending out an ethernet broadcast packet asking "who has 10.0.0.2". As it is a broadcast packets, the switch sends it out to all its ports. When 10.0.0.2 gets the ARP request, it replies by replying "I have 10.0.0.2" to 10.0.0.1. 10.0.0.1 now just needs to cull out the originating MAC address out of the packet and it is set.
However, in addition to this, the ARP reply also passed through the switch, which dutifully noted at which connector that MAC address sat. The beauty of all this is that it works without the hosts needing to know that it happens, and without the switch to know anything about TCP/IP.
Now, with IPv6, things change a bit: in order to find out the MAC address of your peer, you no longer need to send out ARP requests: you can just cull out the lower order bits of the IP address, and you're set. But the network switch now no longer knows to which port the packets should be forwarded, and we might see lots of interesting failure modes...
Re:So what? (Score:2)
Yes, they do, which is wrong -- what happens when you have multiple network cards in a machine? The answer is that Sun violates the standards, and has a MAC address per machine rather than per card...
Re:Not nightmare - or security hole (for linux use (Score:1)
Re:So what? (Score:2)
AFAIK you can modify the MAC on your ethernet card just by fiddling around with some jumpers..
Re:Let me place your foot in your mouth (Score:1)
Re:Even in windoze (Score:1)
Re:Let me place your foot in your mouth (Score:1)
$ arp Address HWtype HWaddress Flags Mask Iface bingo ether 00:A0:F9:00:99:89 C eth0 $ ls -al =arp -rwxr-xr-x 1 root root 29000 Mar 25 1999 /sbin/arp*
damn, now you know my router's MAC address. now every spook and hacker out there is going to trace me!! *runs screaming*
no more cookies (Score:2)
Different possibilities.... (Score:2)
2. Windozers and Mac-heads don't know or care about the nitty gritty. Just insert AOL disk here...
3. By the time IPv6 gets widely implemented on client machines we will all be part of the Borg collective anyway....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
Re:So what? (Score:2)
Inefficient (Score:1)
A company certainly doesn't neat 24 bits of address space just becauset hey have a few hundred machines.
So what? (Score:5)
All this does is tie a number that is meaningless to the rest of the world to your IP address. Your IP address already exposes you far more than your MAC address would. The only exception I can see off the top of my head are people who trust a proxy/firewall to protect their identities.
--
Re:So what? (Score:1)
Re:Ummm (Score:1)
--
Possible reasons why people don't care (Score:3)
MAC addresses are easy to spoof (example, my cable modem service is tied to the MAC address for the pci nic in my win98 box, because thats what the set it up on, but my linux fw box doesn't have a pci slot, so i just made it think that its outside nic had the same MAC address as the pci nic, it works great.
They don't care because they don't know, this is probably the most likely one.
Re:I think we've all missed a detail. (Score:1)
Re:Let me place your foot in your mouth (Score:1)
I was in a state of drunken linux stupur.
still. arp only has to be compiled when ethernet networking is compiled in. I have removed arp from my kernel. used to remove icmp too.
Re:Not much reduced anonymity (Score:1)
EVERY ISP logs connections with at LEAST username logged in at such and such a time ang got such and such an address, some even log the source phone number.
IPV6 specs have been around for a while and many people chatted about this issue, but it is NO different than IPv4, there will always be a way to track it back to source. If it is through a non logging proxy then you know laws will be put in place to say that the owner can be liable for some actions originating from his box unless he can prove it wasn't him. Which means logs
NIC MAC addresses (Score:1)
Luckily my ISP doesn't do this, I would immediately find a new provider.
It's all downhill from here
MAC? (Score:1)
Tee Hee
Why hasn't this been a big deal? (Score:3)
I, for one, don't see how such information is going to help route packets that much. Other than allowing EVERY ETHERNIC ON EARTH TO BE ON THE SAME SUBNET. Do we really need this? There really isn't a purpose to that.
Secondly, people only get really angry when they see something in use. Like the P3 security thing people knew about beforehand but didn't get pissed about till afterwards. Same thing with the win98 big brother thing.
Of course we could all take the view of Scott McNealy and just realize we have no privacy. I can take your names or email addresses and go buy tons of information from experian for 10 cents a head. I'd probably be more worried about that.
Besides, just get multiple nics then. You could easily just do something with the one nic, go buy a new one and voila, your info has changed and you can deny you ever had the old one.
Re:this guy obviously has a huge chip on his shoul (Score:1)
Or who have the vast majority of their network on RFC 1918 addresses (or may as well be using these.)
Re:What's the problem? (Score:1)
Telephone services are traceable, and there are many services in the field. I may be cynical, but why I feel like people consider this a bad thing because after that it's easier to track if they visit porn sites on the web and how often..
Theres nothing wrong with it (Score:2)
I agree privacy must be protected but that is why IPv6 has end-to-end encryption and connection authentication built in to prevent spoofing and eaves dropping.
As stated by someone earlier, the reason IPv6 was developed in the first place was to address a address space problem. They have basically blown the problem away by using 128-bit addresses and in the process, greatly simplified network configuration by allowing network cards to be routed automatically.
The major issues I have with privacy over the internet are to do with data integrity and eaves dropping, not to do with identity. With conventional IPv4 addresses you can be traced back to at the very least the local network you came from. A unique number such as this isn't a means to track everybody, its a means to simplify routing configuration. For dialup lines I would imagine this address space would contain some other number making it just the same as tracking down a particular user as it is today.
The IETF is doing a great job and has put much more thought into this than most (probabily all) of you have and they deserve some credit, not the blatent disaproval that slashdotters tend to be giving in increasingly larger doses.
Running out of MACs? (Score:1)
Besides, if we have a limited number of MACs then it appears that the number of autoconfigurable devices is limited to the number of MACs. That's pretty weird, I'm not sure what's going on. Can somebody inform me?
Re:this guy obviously has a huge chip on his shoul (Score:1)
I know why no one cares (Score:1)
I think he missed the point because..... (Score:1)
Lions and tigers and MACs oh my! (Score:1)
Re:Let me place your foot in your mouth (Score:2)
What is privacy? (Score:1)
I've given some thought to the issues surrounding encrypiton, anonymity and total, open disclosure on the Internet. There doesn't appear to be any clearcut answer regarding any of them. There are times when anonymity is an unmitigated good thing: dissidents in a repressive state sending out information about government atrocities who fear reprisals. There are times when anonymity is a problem: anonymous spam for instance, or the Anonymous Cowards here on Slashdot.
Encryption can be a blessing (protecting your confidential information) and a curse (what was that key again?). I don't even want to address the issues of law enforcement and crime and encryption because that's too thorny for a few short words. Although, the guy who just forgot his private key and can't decrypt the e-mail telling him where to meet his contact for the rendez-vous is going to wish that he had some trusted third party for key escrow.
Privacy? That's a big question and it all comes down to what you consider private and what you consider public, and there are probably 6 billion different answers to those questions. Do you really want people to be able to post absolutely anything that they want in total anonymity, or do you want people to have some level of responsibility for what they say in a public forum? The answers are not always as obvious as you might think.
Personally, I don't care if someone could actually trace all the packets back to my machine. I don't care if they see that I was looking at porno on my home machine at 1:00 A.M. this morning. (Actually, I wasn't. If you did check what was coming into my machine at 1:00 A.M. this morning, you'd find source code for MkLinux streaming in over a remote cvs session.) I'm not doing anything that I would be embarrassed for people to know or that could get me in legal trouble. When I need confidentiality, I use encryption. The Internet and its underlying protocols as currently consituted and as described in IPv6 are inherently open and insecure. You'd be a real fool to do anything on the 'net that you wouldn't do in a public cafe in your home town without some kind of encryption.
What do I consider an intrusion on my privacy? When I get annoying e-mail spam, or worse, phone spam. E-mail spam, I can just delete it, but phone spam generally eats up a good five minutes of my time while I listen to the initial spiel and then say "No, I make it a rule to never accept unsolicited phone offers, and by the way, remove this number from your list."
Hmm, well, I've rambled on for long enough. Perhaps, one rainy Saturday when I've got nothing better to do, I'll dig out some on the subject of online privacy and privacy in general, and write up a little piece for the features section on just what privacy is, and how I think it ought to work on public networks.
I think we've all missed a detail. (Score:1)
If every mac address is unique, then why not just roll the hex numbers in your mac addresses over to decimal and call that your ip? We simply can't have more IPs then mac addresses, or am I totally wrong?
Re:Not nightmare - or security hole (for linux use (Score:1)
This statement is absolutely correct. You assume that he's speaking of IPv6, where your MAC address is part of your IP address. What this person is saying is that routing would be a nightmare if the ONLY identification for your computer on a wide-area network was its MAC address (and nothing else). Border routers' routing tables would be just a bit too large, I think.
Re:I think we've all missed a detail. (Score:2)
Re:this guy obviously has a huge chip on his shoul (Score:1)
But yeah, I have noticed some very large ranges allocated to companies that can never possibly use them. example: Ford with 136.1.0.0 - 136.140.0.0.
----------
Re:I think we've all missed a detail. (Score:1)
MACs are not static (Score:1)
your MAC through software in a configuration file. I've done it and it actually works. All anyone could do is find out what kind of card you have (by manufacturer). The thing about MACs is that they are more flexible than IPs. If you change your IP to be something completely off the wall, you won't be talking on the network effectively. You can change your MAC to be whatever the heck you want and it won't change how you communicate with other boxes.
An aside (Score:1)
It's a conundrum that makes one wonder about the motives of the reigning Internet digerati, who spend much of their time assuring us that they are protecting our interests as they quietly arrogate power in the new world order.
that make me stop reading news. Digerati? Arrogate? Conundrum? Who, other then journalism majors (and by extension PHB's) uses these words? I want plain news. If I want lots of pretty words I would pick up a paper-back novel.
After the multitude of manuals I have to pour over daily in my job, I want to be able to read a quick, concise news article and find out what's going on - not read the ramblings of frustrated novelists who's day job is journalism...
Re:I think we've all missed a detail. (Score:2)
Also, MAC addresses are unique for a particular medium (i.e. Ethernet). I'm not sure if that's guaranteed across different mediums, i.e. Ethernet vs. Token Ring vs. FDDI (even though you can do layer 2 bridging between these mediums). I haven't looked into what's used as a MAC address equivalent in the various IP over ATM implementations or Cellular IP services, but, if they are a 64-bit value, I doubt that they are guaranteed to not conflict with Ethernet MAC addresses. So yes, you could easily have more IPs than ETHERNET MAC adresses.
Re:So what? (Score:2)
The answer is you are wrong. The NVRAM stores the MAC address for the built in Ethernet on SparcStations. If you have additional Ethernet interfaces (usually on SBus cards), they have their own MAC number that is settable seperately. People who have multiple Ethernet cards on Sparcs (which is not uncommon) in combination with certain other sorts of hardware, would have serious problems on their networks if this wasn't the case.
Not nightmare - or security hole (for linux users) (Score:2)
Not really. The routers will no doubt just be ignoring the lower bytes (like current netmasks) - and by the time it gets to your gateway they'll still be ignoring the part with the "MAC address".
In fact, it should be trivial to hack a linux IPv6 stack so every TCP connection gets a unique bogus MAC address. Then the snoopers can just whistle for their info, while the IPv6 cookie-replacers can watch their databases expand without limit. B-)
With significantly more work you could stretch the API to let the client program specify the fake MAC address it wants to present, so your browser could maintain an identity to use when you REALLY wanted to accept an un-cookie.
Re:Other concerns (Score:2)
If your machine's MAC address is attached to every packet, that follows you regardless of routing information or even your ISP. This is truly in a different league.
--
Deja Moo: The feeling that
Changing your MAC address under Linux (Score:2)
You can give a MAC address as a parameter to ifconfig(8).
Linux should allow you to change your MAC address even if your NIC was not designed to allow it.
On cards that don't support changing the address, Linux puts the card in promiscuous mode, drops incoming frames not addressed to the particular MAC, and spoofs the MAC on outgoing frames. Quite a neat solution.
Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]
Re:That doesn't make it meaningless! (Score:2)
It's FAR easier to track somebody today using existing static IP addresses than it would be if some vendors took the *recommendation* that MAC addresses be used as link identifiers for ethernet-based links in IPv6 addresses.
Regarding your assertion that ISP's can be "anonymous" in this nature, this would be difficult in the US. They'd be doing so with the intent of keeping evidence from lawful organizations. It is also in any ISP's best interest to keep logs. If an attack is launched from one of your anonymous ISP's dynamic addresses and the ISP cannot show that it was, the ISP is in a bit of trouble.
Not good business.
Re:Its not that bad (Score:2)
Firstly, IPv6 can actually aid your privacy in that it is now technically possible for you to *choose* your IP address provided you reset the globally unique bit, and use the duplicate address detection mechanism to make sure your traffic will work. The only time duplicates become a problem is when the same address exists in the scope of the network where it matters. i.e. your subnet for an ethernet connection, or the PPP link when you are using dialup.
It would be technically possibly for you to dynamically change the lower 64 bits of your IPv6 address during the life of your connection to the internet be that ethernet or PPP. There is one proviso in that it is not currently feasible to modify your address for active TCP/UDP connections, so you would need to close all active connections to lose all trace of your older address.
Given the active discussion that this topic has generated, I am now keen to add a feature to our stack which would build a random EIU64 address each time the interface is opened. This feature is already in place for PPP connections, and I could also add a button which would force a new address to be built on all interfaces. Of course to pick up the new address, all connections would need to be broken, but it would be a simple matter for the stack to continue using both addresses until the original address is fully deprecated. IPv6 is powerful enough to use as many addresses as you like from your internet node. That is the beauty of stateless autoconfiguration and neighbor discovery.
I suggest that slashdotters go and read the relevant RFCs *and* Internet Drafts in some detail, and they will realize how powerful IPv6 is and how it will solve many of the issues facing the immediate future of the Internet.
A good place to start is
http://playground.sun.com/pu b/ipng/html/ipng-main.html [sun.com]
Read The RFCs (Score:5)
-- Jochen
how is that different from a static IP? (Score:2)
Oh, the horror! (Score:5)
I'm no more worried about my MAC address being in a network packet than my IPv4 address. Heck, I could change my MAC address easier than changing my IP - I sure can't change the IP of my PowerMac at the office, and changing my static IP at home would entail pleading to my ISP, but Ethernet cards are cheap.
The author needs a clue.
Re:That is not my point. (Score:2)
This would require an internal audit trail. Destroying this trail in response to a subpoena would be illegal. In order to survive, any "anonymous" ISP MUST do some sort of logging and auditing. Think of this scenario:
Re:That is not my point. (Score:2)
This was done with Harvard's (obvious) consent. As it would then be a privately owned network (not given "common carrier" status awarded to our lovely telephone networks), it would not be considered to be any form of privacy invasion (legally).
You're only awarded protections against unauthorized searches/wiretaps when it comes to public networks. Your ISP/private university can choose to let the FBI see whatever they want. (At least that's how I understand things.)
Re:On the other hand... (Score:2)
Not quite. At best, the store would be able to say, "Any one of the people that bought one of these cards between dates X and Y would have a NIC with the MAC address you specify."
Purchases aren't tracked by serial number.
Don't get your undies in a knot... (Score:2)
Will conformity be checked by anything? (Score:2)
So... what am I missing?
--
Deja Moo: The feeling that
Any "abuse" to privacy here is insignificant (Score:2)
If you want to be anonymous, you would be much better off with mixmaster remailers (for anonymous email), anonymizer.com (for web surfing) and various anonymizing telnet services. In other words, a trusted third party to strip off identification for you.
--
grappler
Privacy article, for article's sake? (Score:3)
However, this article makes me think that the guy who's job to write stuff on privacy issues on the net came up empty in the actual real security issues department and said, hey I can still write an article about why people aren't worried about an issue...in other words writing about privacy on a non privacy issue.
He says that the EFF among others has not responded to this latest "privacy threat", perhaps he should have thought for a moment and realized...they aren't responding because there is nothing to respond to.
Re:So what? (Score:5)
However, since you can't really modify MACs, it could be as evidence in court to show who you are. With IPs this is a little harder to do because of the dial-up banks and ISPs are not required by law to keep logs (right?) The use of proxies shouldn't be any different from v4 to v6 because the proxy is not going to reveal your MAC, only it's.
Re:Ummm (Score:3)
-- Jochen
Re:So what? (Score:2)
My ISP (sort of a DSL, LAN over phone within aparment complex) checks for it - stops working if I swap a NIC. My office LAN gateway same way - there are reasons not to allow for easy MAC changing on a LAN.
Not a worry for me (Score:2)
Read the spec, and understand what that part of the IPv6 address is for. Then you will realise it is not a big bad privacy violation.
The MAC address section of IPv6 is used mostly for locally addressable destinations. It makes an easier job for routers to figure out whether to route the packet.
It is stripped off (or obfuscated) by a router when sending packets out into the big bad internet. Of course, your implementation of a routing process may vary, but other routers would strip it out as meaningless (i.e. the first cisco router).
the AC
And besides, YOU don't have any privacy, get over it!
Devil's Advocate (Score:2)
-konstant
Re:So what? (Score:3)
Not on devices that ROM it... However, for example, Sun SparcStations (of which I own 3), hold their MAC address in a NVRAM (battery backed CMOS static RAM), which is quite readily modifyable (at least the last 32 bits or so of it is).
I am sure that SparcStations aren't the only networking devices where the MAC address is so easily changed. Even in cases where it is ROMed, there are ways to reprogram EPROMs or burn replacement PROMs for most types of components if they are suitably socketed.
This has been discussed on Technocrat (Score:3)
this guy obviously has a huge chip on his shoulder (Score:5)
In any case, the article, while obviously inflammatory, is backed up by very little actual fact. The author didn't bother to actually *call up* any of those 'professional privacy advocates' and ask them himself why this wasn't an issue (in other words, didn't do any real journalism) -- he just whined and complained that the people *who with very little pay occupy themselves with protecting _his_ privacy* thought they knew better than he about the implications of IPv6. And WTF:
That's quite a statement to make unsubstantiated. Very poor journalism. And: Eh? Since when was "heavily funded by the Defense Department" an automatic stamp of badness? Does this guy realize that close to 90% of *all* the academic research in this (American) country is one way or another "funded by the Defense Department"? Heck, *I'm* funded by the defense department. The whole *Internet* was started by and remains to some extent funded by the Defense Department. This is just lazy scare-mongering by some guy who considers his opinions too obviously important to merit support with real facts.If this guy is serious, he ought to research and back up his claims. Lacking any evidence to the contrary, I'd just as soon agree with the poster directly above, who claims that this NIC ID doesn't make it past the first router and so doesn't matter. That seems far more likely than the worldwide conspiracy that Bill Frezza would have us believe. If Bill can make a better argument, I'll go over to the standards and check for myself, but he has very little credibility in my book at this point.
More on IPv6 and address privacy (Score:5)
More importantly, the IPv6 spec suggests (not mandates) the use of the 48-bit mac address for use as part of a local-use address. The local-use address as defined has only local routability scope - it will not trickle out onto the greater Internet. This was designed to provide an easy bootstrapping mechanism, and for non-Internet connected sites to configure their computers easily. However, the use of the 48-bit mac address is completely optional; it's not an automatically assigned address.
Third, people who connect to the Internet via a DSL or modem connection don't need to worry. In the DSL case, their IP address is the IP address of the DSL modem. Since their IP address is provider assigned, and their DSL modem is provider assigned, there's no difference! A user who dials up via a modem will have an IP address assigned by their provider, just like they do now, and it will have no correlation to the hardware address of anything they own.
For more infromation, Robert M. Hinden has a great article, "IP Next Generation Overview". Alternately, the story posted in the Times a few weeks ago provided a cogent introduction to the reality, not the hype, of IPv6. If you're an RFC type, check out:
TTL (Score:2)
i mean what IDIOT makes a protocol with 128 bit address scheme and keeps TTL field of 8 bit (which makes maximal TTL be 256).
Assume that each physical network has 8 links to it. Every time the size of the network increases eightfold, the maximum TTL needed to use all of that network goes up by one. Addresses run out MUCH faster than TTL's, as the network grows. Sure, there is going to be a lot of variation in size of subnets, but on the whole the net is much more broadly connected than it is deeply connected.
Both TTL and address bits required grow logarithmically with the number of nodes, but TTL has a much higher base to that log.
Re:So what? (Score:2)
Re:So what? (Score:2)
Recently on one of the Embedded programming newsgroups someone handed out blocks of NIC addresses to anybody who wanted some. Since it's a 'commodity' that is hard to come by, and I have plans in the future, I requested a block. What with IPV6 it now looks like maybe I OWN a block of IP addresses, when it goes into effect.
The reason for globally unique MAC addresses is so that hardware address conflicts are rendered impossible on any network anywhere. Reprogramming two NICs within a single institution (or household, or personal lab) is a rather foolish idea, and negates a numbering scheme that otherwise prevents address conflicts from occuring anywhere, at any time.
It better not be my numbers you've grabbed. heheh.
IPv6 and privacy (Score:5)
(In other words, if you move, your ISP moves, their ISP moves, etc, right up to the backbone itself, you are GUARANTEED a new, unique IP address. You are ALSO GUARANTEED that your old IP address will remain valid, and pointing to you, for a transition period.)
(This is not trivial. Not only does this require that your IP address is unique, when you connect, but that you are given a unique address, should you move, whilst still connected, AND that anyone connecting or moving over to your old ISP at the time you're transitioning will ALSO gain a unique IP address. In other words, they can't be assigned your old address, and you can't be assigned their old address, because that violates the uniqueness during the transition period.)
Other concerns (Score:3)
IPv6 is trying to address the problem of "dumb" packets that get shoved willy-nilly through routers as they are shuttled from one place to the next in search of their destination. IPv6 is supposed to provide a "smarter" packet that allows it to take the shortest possible (and quickest) route to/from a destination. All of this being done on a location basis. The MAC address, I believe, is used as a unique identifier to help keep addresses unique.
I noticed a post that stated that there is no "database" for MAC addresses. I don't know if totally believe this. Every manufacturer produces a unique address for each card produced, thus guarenteeing that no repition will occur, especially since routers and switches cache and use the info heavily. So, how do they know who is making what MAC address? Also, a MAC address maybe easy to change, but how many users know how to do that?
I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.
my $0.02,
colin.stefani
Simple solution. (Score:2)
On a related note, you can also have your card use a different MAC address
ifconfig eth1 hw ether deadbeef0001
(this needs do be done while the card is down for obvious reasons)
now your card will answer all arp requests with DE:AD:BE:EF:00:01.
Note:
The kernel performs this trick on most cards by setting the card into promiscous mode and using software to filter out all MACs that
aren't yours which stands to reason it would be slightly slower than just using your real MAC.
Re: knowledge = lack of outrage (Score:3)
The field can be anything, it exists so that a bunch of machines plugged into a hub without a router can route packets to each other. It is also there so a router can make some fast decisions about what needs routing, and what is local.
The EUI field can also contain IPv4 addresses, Novell IPX addresses, OSI NSAP, etc. So anything can be put there, and as long as the u/l bit is switched to local, nobody cares. It is the local router who has to decide how to deal with incoming packets.
the AC
read RFCs 2460 to 2473, and especially 2373. Worry less, read more.
Even in windoze (Score:3)
In the network control panel, select the card driver, then properties.
Go to the advanced tab, in properties there should be a Network Address. Change it from Not Present to Value, and enter a valid 12 character string, with no colons or dots or spaces.
I think you have to reboot after that. I know this is becoming wider spread because home users on cable systems find they are tied to their original MAC address, and when they swap machines the internet stops working
the AC
What's in a MAC address? (Score:2)
I also heard that IPv6 was going to be end-to-end encrypted, too - that wins big in my book any day.
No outrage? Because the people aren't uninformed! (Score:2)
The IPv6 spec SUGGESTS that the MAC address be used as an interface/link identifier (which must be unique). It's quite possible that this address would be reconfigured to something else in very short order. By setting the IPv6 address immediately with a known unique value, you have an instant (even if temporary) address with which to request a proper one.
OBVIOUSLY not every network interface has a MAC address (such as serial links and tunnels). For those types of situations, some other pseudorandom number should be just as effective, so long as it doesn't conflict with somebody else on the LOCAL subnet (the interface ID only makes up *part* of the address, remember). In the case of dialup links, the address class we're talking about here probably won't even be needed to be figured in advance -- it could be negotiated as part of the PPP process.
There is no privacy issue here. There are no evil NIC manufacturers in cahoots with the vendors to build a global database of all MAC addresses and your identity and buying habits.
Quite frankly, I am rather EMBARRASSED by the number of Slashdot posters who regularly post crap like this on threads. They make NO effort whatsoever to independently verify anything they start violently complaining about. They just assume that the BIASED take they just read was ABSOLUTE, 100% accurate and researched TRUTH.
THIS IS NEVER THE CASE.
Did you ever stop to think that maybe there's no outrage over IPv6's MAC recommendation because THERE WAS NO REASON TO BE OUTRAGED?
A bit of light reading for those that want to talk in an intelligent manner (in other words, no idiotic paranoid conspiracy theories):
Re:Different possibilities.... (Score:2)
You probably ought not to make such sweeping generalizations, lest this particular Mac-head start making sweeping generalizations going the other way. I both know and care about the nitty gritty.
Simple solution... (Score:2)
I really don't see this as a usurping of my freedom. Maybe I'm just not paranoid enough.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Much Ado About Nothing. (Score:2)
This is not an outrage. This is not even invasive. Hell, you can change your MAC address most of the time. If you're worried someone will find it easier to catch you DoSsing others on the Internet, well, that's your problem.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:Other concerns (Score:2)
I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.
The MAC address is implemented just like a serial number. E.g. Batch 1 gets MAC address 1-100. Batch 2 gets 101-200. There is no "database" that the company has somehow managed to compile that links your MAC address with anything resembling your identity. You think the stores they send these NIC's off to turn around and report back to the manufacturer with your identity and buying habits? It doesn't happen.
Don't be so paranoid. Companies tend to only spend resources on things that will earn the company a profit. An internal database of MAC addresses earns the company absolutely NOTHING. The infrastructure required to create and maintain such a database for zero profit (or even useful market research, as MAC addresses are nearly useless for doing any real tracking) just doesn't seem like a likely thing for a company to do.
In order for this to even be remotely successful, you'd have to get all of the NIC companies and the VENDORS themselves together on the conspiracy and have them all sharing their MAC addresses and databases of customers and buying preferences. This doesn't seem very likely.
In fact, if someone wanted to track your Internet activity, it would be FAR easier for them to break into your ISP, track your dynamic IP addresses as they're assigned, and monitor your traffic that way.
Re:this guy obviously has a huge chip on his shoul (Score:3)
It sounds like the journalist or one of his good friends or family has been screwed by the address allocation policies of ARIN (and previously the InterNIC). I can understand his hate. I'm losing customers now, because I can't get more addresses. I lost a customer in August that would have had 40 offices connected to me via frame relay, because it took me over 6 months to get enough addresses freed-up to handle their machines. MIT and CMU have 16 million addresses each, and I can't get another address so I can connect another dedicated customer or another dialup port. @Home got 24/8, and they only have a couple of thousand customers at the time. His claims are unsubstantiated, but the frustration and hard feelings aren't. Even after writting a $5,000 check to ARIN for a /20, I still don't have one. That's more than I pay myself! ARIN claims they won't assign it because I don't need it. I'm using a /22 from MCI and 4 /23's from another provider. I qualify. I've spend almost 50 hours a week renumbering equipment over the past two years, because I'm having to reclaim blocks. Yesterday, I moved a customer with 29 computers from a 64 address block down to a 32 to free-up half of a class C for a new customer. When my old customer adds two more computers, I'm going to have to renumber them again. It's killing me. Rather than working on finishing my OpenSource ISP billing software, I'm forced to drive-out to customer sites, change router configs, and help change machines (or a single DHCP server, if I'm lucky). It's yet another case, how large businesses use their position and cash to screw-out their smaller competition. And, you complained that the journalist needs to back himself up...
Wasteful? Oh, please. (Score:3)
Hell, wasting even a few trillion addresses wouldn't mean squat.
Once we start giving a few hundred billion IPs away in every cereal box or package of sports trading cards, I'll be slightly worried.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:Let me place your foot in your mouth (Score:2)
cat
Of course, this will only show hardware addresses on your subnet, not of everyone you send and recieve backets from, but oh, well.
Ignorance of IPv6 is amazing! (Score:4)
I'm MORE disapointed that all the replies on slashdot show they underestand EVEN LESS ABOUT IPv6 Here's the issue: A host's IPv6 address will be 128-bits long. the last 48 bits are going to be the same as their Ethernet ("MAC") address.
Therefore, if I plug my laptop in at work, it will have one address, and if I plug my laptop in at a Internet Cafe, it will get a different address. However, the last 48 bits of both addresses will be the same.
Someone had the mistaken impression that the entire IPv6 address would stay the same no matter what. That's not true. That would make routing very difficult.
Someone else pointed out that the Ethernet "MAC" address of a host can be changed in software. Yes, that is true for newer NICs. However, the average user will not know how to do that.
So, the big issue is that other people will be able to trace a computer as it moves from network to network. In IPv4 one could trace an IP address back to a particular ISP or company... but then you had to rely on the local admins to break any confidentiality to get to the exact machine.
With IPv6 if you catalog the last 48 bits of all the hosts that connect to you, you will eventually be able to coorelate where hosts are moving.
Is this a requirement of IPv6? Not really. This was done to make host configuration without DHCP possible. (There is a DHCPv6, but it only adds features to the native host configuration "AutoConfig" stuff built into IPv6). A IPv6 stack could choose to pick random numbers instead of using MAC addresses. It would just be a simple matter of programming.
Oh, there is one more point I'd like to debunk. That IPv6 development is U.S. Department of Defense funded. Well, they fund a little of everything, so don't get all worried. Heck, they funded the original IPv1 thru IPv4 development too. So deal.
Re:Other concerns (Score:2)
--
Deja Moo: The feeling that
Half of the MAC is assigned by an authority (Score:3)
*sigh* "As if..." (Score:2)
I will point out a massive technical inaccuracy and oversight... the MAC address is not "embedded in your hardware". Sun ethernet cards don't have MAC addresses anywhere on them -- it's generated based on the hostid of the machine (which is very easy to change in the PROM) _AND_ ifconfig supports SETTING the MAC address. It's certainly not etched into the silicon. In most cases, it's trivial to change the address stored in the card's EEPROM.
"Permanently." Are you certain of that? I don't know about every other network card on the planet, but I've never seen one with any carved stone on it.
Gee, maybe EFF and others aren't on the war path because this isn't a problem.
IMO, the author is being a bit of an alarmist here. Why is it people always foam at the mouth about "internet privacy" when they already leave enough of a paper trail for a hamster to track them from another planet? How many credit cards do you have? Do you have a social security number? Do you own a car? (Look at the bottom of your Mountain Dew can some time.)
The author is wrong about IPv6 (Score:3)