Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet

Where's All The Outrage About The IPv6 Privacy? 259

SyntheticTruth writes "It seems the specs for the IPv6 standard use the 48-bit NIC address as part of the unique IP address, which can be used to trace packets back to the user's computer. " The story is asking why people don't seem to care about something which is gonna certainly raise privacy concerns.
This discussion has been archived. No new comments can be posted.

Where's All The Outrage About The IPv6 Privacy?

Comments Filter:
  • /12 means that they have a block that includes the last 12 bits of the address. So they can have 2^12 addresses. I'm not sure how you say it: "slash twelve"?
  • I agree, all bold does not help clarify anything, it just makes it hard to read.
  • by Inoshiro ( 71693 )
    First, I'm not suprised that the only people who seem to be flying off the handle and getting scared about their MAC addresses showing, are those who are not technically knowing. "It's just like that Microsoft DOC thing, show your MAC address! That was bad, so this must be, too!"

    This reminds me of the logic in the Coffee RFC ( http://www.ietf.org/rfc/rfc2324.txt ) : "HTCPCP is based on HTTP. This is because HTTP is everywhere. It could not be so pervasive without being good. Therefore, HTTP is good. "

    Flawed logic.

    On to the technical side:

    Since 2^128 is a ludicrously large number, and since we can get by on 2^64 (another ludicrously large number) of IP addresses, they have simply stuck the MAC address in the remaining bits (my interpretation).

    Why is this not a problem?

    You can always find someone's MAC address if you use an ARP request across an IPv4 network.. Heck, it's how IP works! You need a static address (like the MAC addresses), and you need a logical address (like the IP addresses). There's even a higher abstraction, that of the domain name.

    Why is this good?

    By including the MAC addresses in the header, you can (hopefully) reduce a bit of router load, make transport of packets easier and more logical from the code side, reduce the incidences of packet spoofing (maybe). This is very different from a "machine fingure print" that is stuck in say an MS Word document. How so? There's no need for a document to have an ID that tracks back to the computer that made it, while there is a very logical reason for network cards to have MAC addresses. Have any of you read the IEEE specs for Ethernet packet transmissions? Yes, MAC addresses have been "visible" for a long time already. It's how network works.

    Now, I don't think dialup people will be affected, as they are networked a different way (ie: not via MAC addresses). The same holds true for ATM and ISDN (which use different underlying network designs).


    This is as much a privacy concern, as your own licence plate number is. "Oh, no! They can track where I drive, where I shop, what movies I see, whose houses I visit!!" ... Maybe, but you still have a licence plate on your car, and your network cards still have MAC addresses. If it bothers you so much, switch to ARCnet, or use dialup only.
  • What's to prevent Government Agents from Seizing ISP records that link their client bases' MAC address & Billing/personal information? This is already possible under provisions of the National Security Act, which supercedes laws requiring warrants prior to search and seizure.

    If your MAC address is embeded in your IP number, and the the Domain name of your IP address is also embedded in your IP address, how could it be any easier to trace you?

    For all you AC posters, how bout same agents seizing all the sys logs of /. which_already_record your IP address.

    - mourning the late great 4th Amendment.

  • IPv4 addresses have no accountability because
    they aren't authenticated. While it is possible
    to "trace" an IP address to its source in real-
    time in some circumstances, doing so is nowhere
    nearly as simple as you're making it out to be.

    The obvious issue here is address spoofing, since
    nothing prevents an attacker from sending out
    a packet with an arbitrary source address. While
    there are issues with doing "full duplex" spoofed
    transactions (the Internet will normally route the
    responses back to their true source), this is
    not an unsolveable technical problem.

    There has been work done in the recent past to
    faciliate traceability of unauthenticated IP
    packets. The insight is that you can trust the
    routers (at some level in the routing hierarchy).
    The routers can identify and cache the interface
    on which each distinct IP address arrives. You
    then just need a recursive query protocol to
    trace the address backwards hop-by-hop until you
    get a reasonable approximation of where the
    address entered the system.

    But if the point that you're making is that the
    privacy impact of IPv6 address assignment schemes
    are irrelevant because you have no privacy NOW,
    I agree wholeheartedly. Anonymous forwarding/
    proxy systems are the way to go; the amount of
    work it takes to make a truely anonymous network
    is significant, and neither IPv4 nor IPv6
    does anything to address that.
  • Well, now I don't run Linux all the time anymore, but I'm not sure it >can't be compiled into the kernel. MAC addressing is an integral part of ethernet, so at some level your machine knows the hardware addresses of all the machines on the local network that it's talked to recently. Try pinging yourself and then do an arp.

    But let me just say I don't know for certain, but it really seems to me that you don't know that you don't know. Got that?

    why can't we all just get along, d00d?

  • arp has to be run as superuser.
  • arp has to be, and always is, in your kernel if you use IP networking.

    you're probably thinking of rarp.
  • The school I went to used to use room-number as your address. Privacy concerns led to them switching to a mix-and-match DHCP randomization that decoupled names from rooms. Although annoying, it was probably a good thing.

  • by Dave Fiddes ( 832 ) on Thursday October 07, 1999 @11:35PM (#1630693)
    MAC addresses are handed out by the IEEE. They will give you a block of 24 bits of address space for around US$1500.

    Like IP addresses there is an area in the address space set aside for private use. It is possible, if not entirely sane, to reconfigure an entire LAN... Don't laugh, I've heard of people doing this! I can't remember the rules off hand though... ;)

    Modifying MAC addresses is really simple not matter what age of NIC you have. Most NICs store their MAC address in a small lump of EEPROM on older cards this is just plain old PROM.

    When a driver starts up it gets the ethernet address from the PROM and loads it into a set of station address registers in the NIC. There is no obligation for the driver to load the address it gets from EEPROM or even for there to be an EEPROM! This feature is regularly exploited by embedded systems with ethernet which store the MAC address in FLASH or some other multi-use NV storage to save money.

    What I'm getting at is that it would be really, really easy(if Linux doen't do it already) to allow users to specify a new ethernet MAC address if they felt paranoid. Given the ratio of address space to LAN size you could even produce random MAC addresses at startup if you were paranoid enough.... Of course there are smarter mechanisms for doing this as other posters have pointed out.

    If anyone has a burning desire to have a very small amount of official ethernet address space then drop me a line and I'll see what I can do (HW manufacturers only!)
  • point. but the biggest problem is what if someone was looking for you? What if the FBI had caught wind that you were planning to bomb the white house and they saw that you were reading alt.explosives 20 times a day?


  • by Anonymous Coward
    Isn't more than 256 routers in your home to get to your toaster a bit much? :)
  • If I remember correctly, you, the IP consumer, only get about 64 bits to play with. The first half of the addresses goes to identifying packet types and providers and stuff. You can't just choose a random 128 bit number and expect it to work.
  • by Anonymous Coward
    Ethernet cards are cheap, yes. Software to change the mac address without changing ethernet cards is free. This is a non-issue.
  • Anybody thought about the possible implications of IPv6 and smart "filtering" switches?

    A switch is a smart hub that only forwards the packets to the connector where the destinator sits, rather than broadcasting it to all connectors like a dumb hub would do.

    Now, how does the switch find out where which computers are connected? Easy: it looks at the originating MAC addresses of the that come in through the various ports. For example if a packet singed with the MAC address 01:02:03:04:05:06 came in on connector 7, the switch would know that the computer with that address sits at that connector. If later on the switch got a packet intended for 01:02:03:04:05:06, it would know that it should forward it to connector 7.

    However, obviously this only works if the first communication comes from the machines, rather than going to it. Fortunately, for IPv4, this is always the case. Indeed, suppose that the machine at wants to talk to Before being able to open the connection, must find out the MAC address of It can find this out using the ARP protocol. This protocol basically consists of sending out an ethernet broadcast packet asking "who has". As it is a broadcast packets, the switch sends it out to all its ports. When gets the ARP request, it replies by replying "I have" to now just needs to cull out the originating MAC address out of the packet and it is set.
    However, in addition to this, the ARP reply also passed through the switch, which dutifully noted at which connector that MAC address sat. The beauty of all this is that it works without the hosts needing to know that it happens, and without the switch to know anything about TCP/IP.

    Now, with IPv6, things change a bit: in order to find out the MAC address of your peer, you no longer need to send out ARP requests: you can just cull out the lower order bits of the IP address, and you're set. But the network switch now no longer knows to which port the packets should be forwarded, and we might see lots of interesting failure modes...

  • Sun SparcStations hold their MAC address in a NVRAM

    Yes, they do, which is wrong -- what happens when you have multiple network cards in a machine? The answer is that Sun violates the standards, and has a MAC address per machine rather than per card...

  • Assuming, of course, that you wanted layers two and three to have exactly the same properties, or you wanted to buy every ethernet-capable device on your LAN from the same vendor. And even that doesn't guarantee anything - here at 3Com, every time we buy a new company, we get a whole new range of MAC addresses.
  • However, since you can't really modify MACs, it could be as evidence in court to show who you are.

    AFAIK you can modify the MAC on your ethernet card just by fiddling around with some jumpers..
  • sure, you can open TCP/IP connections. you can't use path MTU discovery though, so your connections are going to suck.
  • Little off the subject, but i was told when i got my cable modem if i changed ethernet cards to reset the cable modem, then it would forget the MAC address and get it again.
  • wrong.

    $ arp Address HWtype HWaddress Flags Mask Iface bingo ether 00:A0:F9:00:99:89 C eth0 $ ls -al =arp -rwxr-xr-x 1 root root 29000 Mar 25 1999 /sbin/arp*

    damn, now you know my router's MAC address. now every spook and hacker out there is going to trace me!! *runs screaming*

  • makes doubleclick's job easier i guess
  • 1. Linux and BSD gurus know this will all be easily spoofed. That plus multi-homing (multiple IP addresses on a single physical NIC) tends to mitigate fears.
    2. Windozers and Mac-heads don't know or care about the nitty gritty. Just insert AOL disk here...
    3. By the time IPv6 gets widely implemented on client machines we will all be part of the Borg collective anyway....
    #include "disclaim.h"
    "All the best people in life seem to like LINUX." - Steve Wozniak
  • as has been pointed out, with most modern NICs, you *can* modifiy your MAC address. there isn't much point in it (replace one arbitrary number with another), but if you're paranoid enough you might want to automate the system to pick a new random one at every boot, or something like that.
  • Though I can see reasons why you would want to do this... and though I haven't really thought about it for more than 20 seconds, doing a direct correlation between MAC addresses and the actual IPv6 address (or at least the low-order end of it) would seem to defeat the purpose of having that many extra bits in the first place.
    A company certainly doesn't neat 24 bits of address space just becauset hey have a few hundred machines.
  • by Overt Coward ( 19347 ) on Thursday October 07, 1999 @10:12AM (#1630713) Homepage
    A MAC address is no different in terms of privacy than an IP address. Either can be changed (though people with dynamic IP addresses change their IP address many times more often than they change MAC addresses, if ever). There is no central registry of MAC addresses.

    All this does is tie a number that is meaningless to the rest of the world to your IP address. Your IP address already exposes you far more than your MAC address would. The only exception I can see off the top of my head are people who trust a proxy/firewall to protect their identities.


  • it sounds like a major overkill effor to me. within an organization, even large, you can be confident enough that no two random 48-bit numbers will conflict.
  • why was that offtopic? looks like I'm missing more than one thing today.

  • Modems don't have MAC(/ARP?) addresses anyhow

    MAC addresses are easy to spoof (example, my cable modem service is tied to the MAC address for the pci nic in my win98 box, because thats what the set it up on, but my linux fw box doesn't have a pci slot, so i just made it think that its outside nic had the same MAC address as the pci nic, it works great.

    They don't care because they don't know, this is probably the most likely one.

  • we want more IPs than MAC addresses because we want to embed routing information in IPs. MACs are arbitrary, there's no way in hell you could route that, short of stuffing the whole list of a bazillion assigned MACs into every router and updating it hourly. sounds like fun :)
  • I appologise to all concerned.
    I was in a state of drunken linux stupur.
    still. arp only has to be compiled when ethernet networking is compiled in. I have removed arp from my kernel. used to remove icmp too.
  • You have a very good day of knowing who it it.
    EVERY ISP logs connections with at LEAST username logged in at such and such a time ang got such and such an address, some even log the source phone number.

    IPV6 specs have been around for a while and many people chatted about this issue, but it is NO different than IPv4, there will always be a way to track it back to source. If it is through a non logging proxy then you know laws will be put in place to say that the owner can be liable for some actions originating from his box unless he can prove it wasn't him. Which means logs
  • I have seem a number of ISPs that are already doing things similar to this. Off the top of my head the only one i can think of is the Canadian ISP bconnected.net. They assign NIC MAC address to the hostnames of their cable modem subscribers. so an IP of 209.53.*.* may resolve to the hostname 00-4c-ec-2b-2d-00.bconnected.net.

    Luckily my ISP doesn't do this, I would immediately find a new provider.

    It's all downhill from here
  • by sklib ( 26440 )
    I don't need to worry about this MAC thing, right? I have a PC instead :)
    Tee Hee
  • by pridkett ( 2666 ) on Thursday October 07, 1999 @10:14AM (#1630722) Homepage Journal
    The reason why this hasn't been that huge of a deal yet is because most people don't always view that as information as part of the address, or because most people didn't know.

    I, for one, don't see how such information is going to help route packets that much. Other than allowing EVERY ETHERNIC ON EARTH TO BE ON THE SAME SUBNET. Do we really need this? There really isn't a purpose to that.

    Secondly, people only get really angry when they see something in use. Like the P3 security thing people knew about beforehand but didn't get pissed about till afterwards. Same thing with the win98 big brother thing.

    Of course we could all take the view of Scott McNealy and just realize we have no privacy. I can take your names or email addresses and go buy tons of information from experian for 10 cents a head. I'd probably be more worried about that.

    Besides, just get multiple nics then. You could easily just do something with the one nic, go buy a new one and voila, your info has changed and you can deny you ever had the old one.
  • But yeah, I have noticed some very large ranges allocated to companies that can never possibly use them.

    Or who have the vast majority of their network on RFC 1918 addresses (or may as well be using these.)
  • Agreed. Privacy is a good thing, but I haven't read a single comment which were reasonably justified.

    Telephone services are traceable, and there are many services in the field. I may be cynical, but why I feel like people consider this a bad thing because after that it's easier to track if they visit porn sites on the web and how often..

  • Sometimes I wonder about the level of hysteria that the slashdot community raises over issues like this.

    I agree privacy must be protected but that is why IPv6 has end-to-end encryption and connection authentication built in to prevent spoofing and eaves dropping.

    As stated by someone earlier, the reason IPv6 was developed in the first place was to address a address space problem. They have basically blown the problem away by using 128-bit addresses and in the process, greatly simplified network configuration by allowing network cards to be routed automatically.

    The major issues I have with privacy over the internet are to do with data integrity and eaves dropping, not to do with identity. With conventional IPv4 addresses you can be traced back to at the very least the local network you came from. A unique number such as this isn't a means to track everybody, its a means to simplify routing configuration. For dialup lines I would imagine this address space would contain some other number making it just the same as tracking down a particular user as it is today.

    The IETF is doing a great job and has put much more thought into this than most (probabily all) of you have and they deserve some credit, not the blatent disaproval that slashdotters tend to be giving in increasingly larger doses.
  • Will this raise a problem of us running out of MAC space? I'd hate to think so. After all, aren't we going after more address space than we can ever possibly use?
    Besides, if we have a limited number of MACs then it appears that the number of autoconfigurable devices is limited to the number of MACs. That's pretty weird, I'm not sure what's going on. Can somebody inform me?
  • Hrm. I assumed this was similar to the notation that (e.g.) nmap uses. In which case it's the number of bits in the network portion. So /8 is class A, /16 is class B, etc. So the larger the number, the smaller the block.
  • Static IPs for all. That's why. I guess some people are willing to sacrifice privacy for a static IP address, personally, it'd take a little more for me, maybe a T1 to the Internet, and a class A subnetted to alot of class Cs all registered under different names and address, but have my dhcp give me any address on the class A, then they'd never find me. =] Privacy here is a big issue though, this really doesn't seem to be much different from the whole Pentium III issue, except this would be accessible by *anyone*

  • Well with IPv6 and the amount of IP addresses you can assign I think it will eventually end up being something similar to phone numbers. You got more than 1 PC in the home? It'll be the same as having more than one phone line at home or something similar. Your IP address will be no more private than your phone number is and there for your MAC address being private will be pointless. I think your IP address will pretty much become your home address/phone number all rolled into one. You'd figure everyone will eventually have one. Since you'll probably have everything coming into your home on one phone line or satellite or whatever. In the future it'll probably become almost impossible to be anonymous on the Internet. I'm sure you could probably do your spoofing or some sort to be "anonymous" but to get anything done in the future I believe you wont be able to get by not giving this information out. Everyone will have some sort of domain name or the like, which will point to your IP addresses. This is obviously speculation, of course, but with xDSL and cable modems assigning us static IP addresses you could almost assume it will become pretty much standard when IPv6 becomes common use.
  • To heap the criticism on a bit more, First, the information included would be redundant if the scheme is as he says. Your ethernet address already contains the maker of the device. Second, going a step beyond buying a new NIC, some ethernet interfaces allow their address to be changed dynamically. DECnet does this. It smashes the top 24 bits if I recall correctly, making them 00:00:00
  • Uhm...Unless I don't remember TCP/IP correctly w/o ICMP you can't open any TCP connection.
  • I know I'm jumping into this a bit late, but this topic raises another question that probably merits a much more detailed and longer response than someone could give you in this forum.

    I've given some thought to the issues surrounding encrypiton, anonymity and total, open disclosure on the Internet. There doesn't appear to be any clearcut answer regarding any of them. There are times when anonymity is an unmitigated good thing: dissidents in a repressive state sending out information about government atrocities who fear reprisals. There are times when anonymity is a problem: anonymous spam for instance, or the Anonymous Cowards here on Slashdot. :-)

    Encryption can be a blessing (protecting your confidential information) and a curse (what was that key again?). I don't even want to address the issues of law enforcement and crime and encryption because that's too thorny for a few short words. Although, the guy who just forgot his private key and can't decrypt the e-mail telling him where to meet his contact for the rendez-vous is going to wish that he had some trusted third party for key escrow.

    Privacy? That's a big question and it all comes down to what you consider private and what you consider public, and there are probably 6 billion different answers to those questions. Do you really want people to be able to post absolutely anything that they want in total anonymity, or do you want people to have some level of responsibility for what they say in a public forum? The answers are not always as obvious as you might think.

    Personally, I don't care if someone could actually trace all the packets back to my machine. I don't care if they see that I was looking at porno on my home machine at 1:00 A.M. this morning. (Actually, I wasn't. If you did check what was coming into my machine at 1:00 A.M. this morning, you'd find source code for MkLinux streaming in over a remote cvs session.) I'm not doing anything that I would be embarrassed for people to know or that could get me in legal trouble. When I need confidentiality, I use encryption. The Internet and its underlying protocols as currently consituted and as described in IPv6 are inherently open and insecure. You'd be a real fool to do anything on the 'net that you wouldn't do in a public cafe in your home town without some kind of encryption.

    What do I consider an intrusion on my privacy? When I get annoying e-mail spam, or worse, phone spam. E-mail spam, I can just delete it, but phone spam generally eats up a good five minutes of my time while I listen to the initial spiel and then say "No, I make it a rule to never accept unsolicited phone offers, and by the way, remove this number from your list."

    Hmm, well, I've rambled on for long enough. Perhaps, one rainy Saturday when I've got nothing better to do, I'll dig out some on the subject of online privacy and privacy in general, and write up a little piece for the features section on just what privacy is, and how I think it ought to work on public networks.
  • Why on earth do we need more ips then there are mac addresses? isn't that just plain stupid?
    If every mac address is unique, then why not just roll the hex numbers in your mac addresses over to decimal and call that your ip? We simply can't have more IPs then mac addresses, or am I totally wrong?
  • If your MAC address was used as your IP address, it would be a routing nightmare.

    This statement is absolutely correct. You assume that he's speaking of IPv6, where your MAC address is part of your IP address. What this person is saying is that routing would be a nightmare if the ONLY identification for your computer on a wide-area network was its MAC address (and nothing else). Border routers' routing tables would be just a bit too large, I think.
  • um i don't think dialup users have MAC addresses?
  • Actually that's false. @home has a /12 in that range. Roadrunner has two /13's. Contintental Cablevision has 4 /16's. A bunch of other cable providers have some smaller ranges. RipeNIC has a /13 as well.

    But yeah, I have noticed some very large ranges allocated to companies that can never possibly use them. example: Ford with -
  • by Anonymous Coward
    If your MAC address was used as your IP address, it would be a routing nightmare.
  • My company's version of UNIX allows you to change
    your MAC through software in a configuration file. I've done it and it actually works. All anyone could do is find out what kind of card you have (by manufacturer). The thing about MACs is that they are more flexible than IPs. If you change your IP to be something completely off the wall, you won't be talking on the network effectively. You can change your MAC to be whatever the heck you want and it won't change how you communicate with other boxes.
  • Is it me or are journalists pretty heavy with the thesaurus? I mean why must all articles be written like a novel, instead like a news article? I mean paragraphs like :

    It's a conundrum that makes one wonder about the motives of the reigning Internet digerati, who spend much of their time assuring us that they are protecting our interests as they quietly arrogate power in the new world order.

    that make me stop reading news. Digerati? Arrogate? Conundrum? Who, other then journalism majors (and by extension PHB's) uses these words? I want plain news. If I want lots of pretty words I would pick up a paper-back novel.

    After the multitude of manuals I have to pour over daily in my job, I want to be able to read a quick, concise news article and find out what's going on - not read the ramblings of frustrated novelists who's day job is journalism...

  • Well, the AC reply got moderated down but it is actually correct. Part of the reason for the first half of the IP V6 address is to simplify routing tables in the backbone routers. I believe the first part can effectively be used as a network number and can be used to provide route aggregation mechanisms.

    Also, MAC addresses are unique for a particular medium (i.e. Ethernet). I'm not sure if that's guaranteed across different mediums, i.e. Ethernet vs. Token Ring vs. FDDI (even though you can do layer 2 bridging between these mediums). I haven't looked into what's used as a MAC address equivalent in the various IP over ATM implementations or Cellular IP services, but, if they are a 64-bit value, I doubt that they are guaranteed to not conflict with Ethernet MAC addresses. So yes, you could easily have more IPs than ETHERNET MAC adresses.
  • The answer is that Sun violates the standards, and has a MAC address per machine rather than per card...

    The answer is you are wrong. The NVRAM stores the MAC address for the built in Ethernet on SparcStations. If you have additional Ethernet interfaces (usually on SBus cards), they have their own MAC number that is settable seperately. People who have multiple Ethernet cards on Sparcs (which is not uncommon) in combination with certain other sorts of hardware, would have serious problems on their networks if this wasn't the case.

  • If your MAC address was used as your IP address, it would be a routing nightmare.

    Not really. The routers will no doubt just be ignoring the lower bytes (like current netmasks) - and by the time it gets to your gateway they'll still be ignoring the part with the "MAC address".

    In fact, it should be trivial to hack a linux IPv6 stack so every TCP connection gets a unique bogus MAC address. Then the snoopers can just whistle for their info, while the IPv6 cookie-replacers can watch their databases expand without limit. B-)

    With significantly more work you could stretch the API to let the client program specify the fake MAC address it wants to present, so your browser could maintain an identity to use when you REALLY wanted to accept an un-cookie.

  • They can already do that with your IP4 address!
    Only if you have a static IP. If you have a dynamic IP, your data gets anonymized by mixing with the data from everyone else who eventually gets assigned that IP; over time, this could be everyone from your ISP.

    If your machine's MAC address is attached to every packet, that follows you regardless of routing information or even your ISP. This is truly in a different league.
    Deja Moo: The feeling that

  • You can give a MAC address as a parameter to ifconfig(8).

    Linux should allow you to change your MAC address even if your NIC was not designed to allow it.

    On cards that don't support changing the address, Linux puts the card in promiscuous mode, drops incoming frames not addressed to the particular MAC, and spoofs the MAC on outgoing frames. Quite a neat solution.

    Berlin-- http://www.berlin-consortium.org [berlin-consortium.org]
  • How is this any different from static IP's assigned by DSL and cable modem services? All the FBI needs to do in the least is go to your ISP and say, "We'd like to know who this person is."

    It's FAR easier to track somebody today using existing static IP addresses than it would be if some vendors took the *recommendation* that MAC addresses be used as link identifiers for ethernet-based links in IPv6 addresses.

    Regarding your assertion that ISP's can be "anonymous" in this nature, this would be difficult in the US. They'd be doing so with the intent of keeping evidence from lawful organizations. It is also in any ISP's best interest to keep logs. If an attack is launched from one of your anonymous ISP's dynamic addresses and the ISP cannot show that it was, the ISP is in a bit of trouble.

    Not good business.
  • Just to set the record straight about what is reality from someone who has written an IPv6 stack. (Trumpet Winsock 5.0)

    Firstly, IPv6 can actually aid your privacy in that it is now technically possible for you to *choose* your IP address provided you reset the globally unique bit, and use the duplicate address detection mechanism to make sure your traffic will work. The only time duplicates become a problem is when the same address exists in the scope of the network where it matters. i.e. your subnet for an ethernet connection, or the PPP link when you are using dialup.

    It would be technically possibly for you to dynamically change the lower 64 bits of your IPv6 address during the life of your connection to the internet be that ethernet or PPP. There is one proviso in that it is not currently feasible to modify your address for active TCP/UDP connections, so you would need to close all active connections to lose all trace of your older address.

    Given the active discussion that this topic has generated, I am now keen to add a feature to our stack which would build a random EIU64 address each time the interface is opened. This feature is already in place for PPP connections, and I could also add a button which would force a new address to be built on all interfaces. Of course to pick up the new address, all connections would need to be broken, but it would be a simple matter for the stack to continue using both addresses until the original address is fully deprecated. IPv6 is powerful enough to use as many addresses as you like from your internet node. That is the beauty of stateless autoconfiguration and neighbor discovery.

    I suggest that slashdotters go and read the relevant RFCs *and* Internet Drafts in some detail, and they will realize how powerful IPv6 is and how it will solve many of the issues facing the immediate future of the Internet.

    A good place to start is

    http://playground.sun.com/pu b/ipng/html/ipng-main.html [sun.com]

  • by jochen ( 2803 ) <jochenNO@SPAMscram.de> on Thursday October 07, 1999 @10:14AM (#1630783) Homepage
    Using the network card MAC address as part of the IPv6 address is only one way of setting up the global IPv6 addresses (it's unmanaged autoconfiguration used by rtadvd). Alternatives are manual configuration or using DHCP with IPv6 extension.

    -- Jochen
  • by Anonymous Coward
    Ip's can be traced back to the machine as well, so i dont see what's the big deal... -Jagga Dakku
  • by Mr. Slippery ( 47854 ) <tmsNO@SPAMinfamous.net> on Thursday October 07, 1999 @10:17AM (#1630789) Homepage
    Shock! Dismay! Embedded in my network address is...well, my network address. Duh.

    I'm no more worried about my MAC address being in a network packet than my IPv4 address. Heck, I could change my MAC address easier than changing my IP - I sure can't change the IP of my PowerMac at the office, and changing my static IP at home would entail pleading to my ISP, but Ethernet cards are cheap.

    The author needs a clue.

  • Clear abuse issues (eg: SYN floods, ICMP attacks, port scanning, etc) can be audited internally.

    This would require an internal audit trail. Destroying this trail in response to a subpoena would be illegal. In order to survive, any "anonymous" ISP MUST do some sort of logging and auditing. Think of this scenario:

    • ScriptKiddie signs up to AnonISP, begins smurfing FBI.gov.
    • While smurfs are on-going (ScriptKiddie still connected), FBI knocks on AnonISP's door and asks for all information about the person doing the smurfing.
    AnonISP, having connection details available to them (even without logs), would be obligated to turn over that information.

    • ScriptKiddie smurfs CorpX.com.
    • CorpX.com complains, AnonISP cancels ScriptKiddie's account ("And don't come back!")
    • ScriptKiddie signs up again as PaketKiddie (you have no logs with which to prove he is the same person)
    • PaketKiddie smurfs CorpX.com.
    • CorpX.com instructs uplinks to block all traffic from AnonISP.
    • (repeat)
    • AnonISP, now blocked from the majority of conscientous ISP's, turns into a packet kiddie playground and goes out of business.
  • However, there was a case a couple years ago of a hacker in Brazil (I think), who hacked Harvard and a couple other places. They caught him by setting up some kind of 'intelligent' program that recognized and filtered his keystroke/traffic from everyone elses on a router, or backbone, or something to that effect.

    This was done with Harvard's (obvious) consent. As it would then be a privately owned network (not given "common carrier" status awarded to our lovely telephone networks), it would not be considered to be any form of privacy invasion (legally).

    You're only awarded protections against unauthorized searches/wiretaps when it comes to public networks. Your ISP/private university can choose to let the FBI see whatever they want. (At least that's how I understand things.)
  • Given the batch, they can link to a shipment (eg: to a specific store) and so on. The store can then link this to a credit card (or a range of credit card) sale...and on to the user(s).

    Not quite. At best, the store would be able to say, "Any one of the people that bought one of these cards between dates X and Y would have a NIC with the MAC address you specify."

    Purchases aren't tracked by serial number.
  • If I recall from reading the spec a while ago.. using MAC's is just one suggested method of providing ip's in the IPV6 world. Considering that you can, in a number of cases, change your devices MAC address, it hardly seems like a issue anyways. Lord_Rion
  • While the Windoze stack may put the card MAC address in the standard field, I don't see how any computer beyond the first router could know, or care, if that data has been spoofed or not. How many Linux implementations are going to have 00-00-00-00-00-00-00-00 or 07-81-51-12-06-66-66-66, or some random sequence, stuck in that field? Unless the final router uses it to get packets back to the sender (or something like @Home uses it to route packets to the recipient or the bit bucket!), it's going to be completely irrelevant.

    So... what am I missing?
    Deja Moo: The feeling that

  • If you have an ip address of somebody, there are ALREADY better ways to trace it than bothering to try and track down their ethernet card (and many computers don't even use ethernet cards anyhow).

    If you want to be anonymous, you would be much better off with mixmaster remailers (for anonymous email), anonymizer.com (for web surfing) and various anonymizing telnet services. In other words, a trusted third party to strip off identification for you.

  • by Waav ( 33401 ) on Thursday October 07, 1999 @10:27AM (#1630821)
    Frankly this is not very interesting, and not all that worrisome as explained by most other people who have already posted, so I won't go into the details again.

    However, this article makes me think that the guy who's job to write stuff on privacy issues on the net came up empty in the actual real security issues department and said, hey I can still write an article about why people aren't worried about an issue...in other words writing about privacy on a non privacy issue.

    He says that the EFF among others has not responded to this latest "privacy threat", perhaps he should have thought for a moment and realized...they aren't responding because there is nothing to respond to.
  • by jonathanclark ( 29656 ) on Thursday October 07, 1999 @10:27AM (#1630822) Homepage
    I thought I read that MAC addresses are centrally dispatched (by who?) in large blocks to card producers. So they only thing you could probably do is determine what company makes the ethernet card at the other end. There is no way the card companies could trace a particular card to you unless you bought it directly from them.

    However, since you can't really modify MACs, it could be as evidence in court to show who you are. With IPs this is a little harder to do because of the dial-up banks and ISPs are not required by law to keep logs (right?) The use of proxies shouldn't be any different from v4 to v6 because the proxy is not going to reveal your MAC, only it's.

  • by jochen ( 2803 ) <jochenNO@SPAMscram.de> on Thursday October 07, 1999 @10:27AM (#1630823) Homepage
    The MAC address being part of the IPv6 address is NOT mandatory. It may just be used for autosetup (just like the MAC address being part of an IPX address, as well). It is never used for routing or address resolutions anywhere. Neighbor solicitation and neighbor advertisements do the resolution in the local network and take over the rule or ARP from IPv4.

    -- Jochen
  • Redundant - no, you can not do that on the fly: your local network use it often.
    My ISP (sort of a DSL, LAN over phone within aparment complex) checks for it - stops working if I swap a NIC. My office LAN gateway same way - there are reasons not to allow for easy MAC changing on a LAN.
  • And I'm one of the biggest privacy freaks you will ever come across.

    Read the spec, and understand what that part of the IPv6 address is for. Then you will realise it is not a big bad privacy violation.

    The MAC address section of IPv6 is used mostly for locally addressable destinations. It makes an easier job for routers to figure out whether to route the packet.

    It is stripped off (or obfuscated) by a router when sending packets out into the big bad internet. Of course, your implementation of a routing process may vary, but other routers would strip it out as meaningless (i.e. the first cisco router).

    the AC

    And besides, YOU don't have any privacy, get over it! :-) (the rest of us are still fighting, but mostly the good fights)

  • To play devil's advocate for a moment, consider the benefits from allowing packets to be uniquely identified. 0) Firstly, I'm not at all sure that this is accurate. In theory, the client has complete control over its outgoing packets. I don't see why this couldn't be wiped to zero on outgoing packets. It would be a simple app, tho it would introduce some overhead into TCP/IP. 1) If the data section of the packet is being handled by SSL, unique IDs cannot harm you. This is because knowing the originator of the packet is meaningless unless you know what they are saying. The most information a snoop could glean would be that X is talking to Y at time Z. 2) packet spoofing would be far more difficult. Consider all the cracking cases in the last few weeks that implicated a national governmental body, probably falsely. First there was the "Department of Defense" breaking into the Australian stock Xchange, then the "Russians" breaking into the Department of Defense. A few months ago didn't the "CIA" break into something in France. Almost certainly spoofed. 3) PoD and DoS would become vulnerable to intelligent routers. Cisco I know tears its hair out over the susceptibility of its routers to denial of service attacks. But if all the packets bore the same GUID, it would be simple to filter them. 4) If you're super-paranoid, just have more than one ethernet card. That's where they're drawing out these GUID's you know, from your hardware signature. Microsoft does the same thing with the in-house GUID Gen program. 5) plus many more good reasons... :P
  • by SoftwareJanitor ( 15983 ) on Thursday October 07, 1999 @10:33AM (#1630830)
    However, since you can't really modify MACs

    Not on devices that ROM it... However, for example, Sun SparcStations (of which I own 3), hold their MAC address in a NVRAM (battery backed CMOS static RAM), which is quite readily modifyable (at least the last 32 bits or so of it is).

    I am sure that SparcStations aren't the only networking devices where the MAC address is so easily changed. Even in cases where it is ROMed, there are ways to reprogram EPROMs or burn replacement PROMs for most types of components if they are suitably socketed.

  • by Lalo Martins ( 2050 ) on Thursday October 07, 1999 @10:33AM (#1630831) Homepage
    Was on Technocrat.net yesterday [technocrat.net]. Summary:
    • It's an arbitrary value. You may use your MAC address or you may use something else.
    • Your MAC address isn't any more sensitive than your IP.
    • One of the main points of ipv6 is to give IPs for everyone, so why not? We will already have to rethink a lot of our "privacy" systems. We do a lot of what Perens calls "security trough obscurity"; relying on dynamic IP for "privacy" is in effect treating a bug as a feature.
  • by cananian ( 73735 ) on Thursday October 07, 1999 @10:44AM (#1630838) Homepage
    ...maybe the geeks picked on him for using windoze?

    In any case, the article, while obviously inflammatory, is backed up by very little actual fact. The author didn't bother to actually *call up* any of those 'professional privacy advocates' and ask them himself why this wasn't an issue (in other words, didn't do any real journalism) -- he just whined and complained that the people *who with very little pay occupy themselves with protecting _his_ privacy* thought they knew better than he about the implications of IPv6. And WTF:

    You would think that the 32-bit address field of IPv4, supporting more than 4 billion unique addresses, would be sufficient to last quite some time. Unfortunately, the cabal that controlled the disposition of these addresses had a habit of handing out large blocks to their friends, who parlayed these into start-ups with multibillion- dollar market caps. Hence, the "shortage."
    That's quite a statement to make unsubstantiated. Very poor journalism. And:
    The spooks and weirdos in Washington, ever eager to empower the surveillance state as they fight a rear-guard action against strong encryption, must be thrilled with such a gift. They appear so thrilled that the Institute for Information Sciences, heavily funded by the Defense Department, is writing a reference stack for IPv6 that it is quietly hoping to slip into Windows 2000.
    Eh? Since when was "heavily funded by the Defense Department" an automatic stamp of badness? Does this guy realize that close to 90% of *all* the academic research in this (American) country is one way or another "funded by the Defense Department"? Heck, *I'm* funded by the defense department. The whole *Internet* was started by and remains to some extent funded by the Defense Department. This is just lazy scare-mongering by some guy who considers his opinions too obviously important to merit support with real facts.

    If this guy is serious, he ought to research and back up his claims. Lacking any evidence to the contrary, I'd just as soon agree with the poster directly above, who claims that this NIC ID doesn't make it past the first router and so doesn't matter. That seems far more likely than the worldwide conspiracy that Bill Frezza would have us believe. If Bill can make a better argument, I'll go over to the standards and check for myself, but he has very little credibility in my book at this point.

  • by angio ( 33504 ) on Thursday October 07, 1999 @10:45AM (#1630839) Homepage
    The author of the "IPv6 Privacy Threat" article failed to consider a few things. As several people have already pointed out, MAC addresses are spoofable and changeable in many circumstances.

    More importantly, the IPv6 spec suggests (not mandates) the use of the 48-bit mac address for use as part of a local-use address. The local-use address as defined has only local routability scope - it will not trickle out onto the greater Internet. This was designed to provide an easy bootstrapping mechanism, and for non-Internet connected sites to configure their computers easily. However, the use of the 48-bit mac address is completely optional; it's not an automatically assigned address.

    Third, people who connect to the Internet via a DSL or modem connection don't need to worry. In the DSL case, their IP address is the IP address of the DSL modem. Since their IP address is provider assigned, and their DSL modem is provider assigned, there's no difference! A user who dials up via a modem will have an IP address assigned by their provider, just like they do now, and it will have no correlation to the hardware address of anything they own.

    For more infromation, Robert M. Hinden has a great article, "IP Next Generation Overview". Alternately, the story posted in the Times a few weeks ago provided a cogent introduction to the reality, not the hype, of IPv6. If you're an RFC type, check out:

    • aloni.com's IPv6 resources [aloni.com] which include a fairly full list of the IPv6 RFCs.
    • Or just look directly at RFC 1887 [ohio-state.edu], the IPv6 unicast address allocation document.
  • Interesting points, but I'm not sure about the TTL one..

    i mean what IDIOT makes a protocol with 128 bit address scheme and keeps TTL field of 8 bit (which makes maximal TTL be 256).

    Assume that each physical network has 8 links to it. Every time the size of the network increases eightfold, the maximum TTL needed to use all of that network goes up by one. Addresses run out MUCH faster than TTL's, as the network grows. Sure, there is going to be a lot of variation in size of subnets, but on the whole the net is much more broadly connected than it is deeply connected.

    Both TTL and address bits required grow logarithmically with the number of nodes, but TTL has a much higher base to that log.

  • Actually, you can just give mac as a param for ifconfig.
  • MAC addresses are supposed to be unique to each individual Ethernet card in the world. That is the reason for a central body who assign blocks of addresses. That also means that you in effect own the number on any NIC that you have in your posession. All those old 8-bit ISA etherlink cards have a number assigned to them that you can somewhat righteously recycle for your use if you're building ethernet hardware.

    Recently on one of the Embedded programming newsgroups someone handed out blocks of NIC addresses to anybody who wanted some. Since it's a 'commodity' that is hard to come by, and I have plans in the future, I requested a block. What with IPV6 it now looks like maybe I OWN a block of IP addresses, when it goes into effect.

    The reason for globally unique MAC addresses is so that hardware address conflicts are rendered impossible on any network anywhere. Reprogramming two NICs within a single institution (or household, or personal lab) is a rather foolish idea, and negates a numbering scheme that otherwise prevents address conflicts from occuring anywhere, at any time.

    It better not be my numbers you've grabbed. heheh.
  • by jd ( 1658 ) <imipak.yahoo@com> on Thursday October 07, 1999 @10:59AM (#1630849) Homepage Journal
    Ok, let's take a look at this.

    • IPv6 mandates that each port have a unique IP address, that that address be configured by the network in a unique way at the time of connection and any time the network changes, and that that address have a lifetime only marginally longer than the period of time that the topology higher up the heirarchy to that port remain the same.

      (In other words, if you move, your ISP moves, their ISP moves, etc, right up to the backbone itself, you are GUARANTEED a new, unique IP address. You are ALSO GUARANTEED that your old IP address will remain valid, and pointing to you, for a transition period.)

    • IPv6 also mandates that IP number clashes should be impossible, irrespective of user activity or mobility, or network topology changes.

      (This is not trivial. Not only does this require that your IP address is unique, when you connect, but that you are given a unique address, should you move, whilst still connected, AND that anyone connecting or moving over to your old ISP at the time you're transitioning will ALSO gain a unique IP address. In other words, they can't be assigned your old address, and you can't be assigned their old address, because that violates the uniqueness during the transition period.)

    • The use of the MAC address is an optional, but preferred, way to ensure this uniqueness. There are perfectly viable alternatives. Simply having the router assign a number out of a list wold work. It comes to the same thing, really.

    • IPv6 has many more mechanisms for privacy (eg: IPSEC, non-spoofable routers, etc.) than IPv4. The use of the MAC address, even if you opt to use it, doesn't help anyone locate you, or find anything out about you.

    • You can remotely ask for the MAC address of a number of devices, anyway, using good old IPv4. Only difference is that you can't restrict who asks.
  • by silversurf ( 34707 ) on Thursday October 07, 1999 @11:03AM (#1630851)
    If I remember right, the IPv6 spec also includes the capability to assign a portion of the address based on MAC and location(?). Or something to that effect (I could be totally off-base here, I saw a talk about IPv6 that discussed it in that way). Basically the idea being that it makes it much easier for packet to find you and for your packets to route as quick as possible to their destination.

    IPv6 is trying to address the problem of "dumb" packets that get shoved willy-nilly through routers as they are shuttled from one place to the next in search of their destination. IPv6 is supposed to provide a "smarter" packet that allows it to take the shortest possible (and quickest) route to/from a destination. All of this being done on a location basis. The MAC address, I believe, is used as a unique identifier to help keep addresses unique.

    I noticed a post that stated that there is no "database" for MAC addresses. I don't know if totally believe this. Every manufacturer produces a unique address for each card produced, thus guarenteeing that no repition will occur, especially since routers and switches cache and use the info heavily. So, how do they know who is making what MAC address? Also, a MAC address maybe easy to change, but how many users know how to do that?

    I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.

    my $0.02,

  • Compliments of the linux.com tuning guide :
    On a related note, you can also have your card use a different MAC address

    ifconfig eth1 hw ether deadbeef0001
    (this needs do be done while the card is down for obvious reasons)

    now your card will answer all arp requests with DE:AD:BE:EF:00:01.

    The kernel performs this trick on most cards by setting the card into promiscous mode and using software to filter out all MACs that
    aren't yours which stands to reason it would be slightly slower than just using your real MAC.
  • by anticypher ( 48312 ) <anticypher&gmail,com> on Thursday October 07, 1999 @11:07AM (#1630854) Homepage
    I've read the RFCs, and there was no outrage on my part. I've sniffed v6 packets off of ethernet and from frame relay and ATM, with nothing triggering any moral alarms.

    The field can be anything, it exists so that a bunch of machines plugged into a hub without a router can route packets to each other. It is also there so a router can make some fast decisions about what needs routing, and what is local.

    The EUI field can also contain IPv4 addresses, Novell IPX addresses, OSI NSAP, etc. So anything can be put there, and as long as the u/l bit is switched to local, nobody cares. It is the local router who has to decide how to deal with incoming packets.

    the AC

    read RFCs 2460 to 2473, and especially 2373. Worry less, read more.
  • by anticypher ( 48312 ) <anticypher&gmail,com> on Thursday October 07, 1999 @11:26AM (#1630860) Homepage
    Since I'm stuck on a win machine, I went to look. Both on 95 and NT.

    In the network control panel, select the card driver, then properties.
    Go to the advanced tab, in properties there should be a Network Address. Change it from Not Present to Value, and enter a valid 12 character string, with no colons or dots or spaces.

    I think you have to reboot after that. I know this is becoming wider spread because home users on cable systems find they are tied to their original MAC address, and when they swap machines the internet stops working :-) There are lots of how-to for dummies cheat sheets going around for cable subscribers.

    the AC
  • I agree entirely. I can't see what facts this author is basing his drivel on, as we've been able to use 'arp' to dump machines' IP# MAC address correlations for a while...
    I also heard that IPv6 was going to be end-to-end encrypted, too - that wins big in my book any day.

  • Yet another example of an article full of posts by people that have NO CLUE WHAT THEY ARE TALKING ABOUT.

    The IPv6 spec SUGGESTS that the MAC address be used as an interface/link identifier (which must be unique). It's quite possible that this address would be reconfigured to something else in very short order. By setting the IPv6 address immediately with a known unique value, you have an instant (even if temporary) address with which to request a proper one.

    OBVIOUSLY not every network interface has a MAC address (such as serial links and tunnels). For those types of situations, some other pseudorandom number should be just as effective, so long as it doesn't conflict with somebody else on the LOCAL subnet (the interface ID only makes up *part* of the address, remember). In the case of dialup links, the address class we're talking about here probably won't even be needed to be figured in advance -- it could be negotiated as part of the PPP process.

    There is no privacy issue here. There are no evil NIC manufacturers in cahoots with the vendors to build a global database of all MAC addresses and your identity and buying habits.

    Quite frankly, I am rather EMBARRASSED by the number of Slashdot posters who regularly post crap like this on threads. They make NO effort whatsoever to independently verify anything they start violently complaining about. They just assume that the BIASED take they just read was ABSOLUTE, 100% accurate and researched TRUTH.


    Did you ever stop to think that maybe there's no outrage over IPv6's MAC recommendation because THERE WAS NO REASON TO BE OUTRAGED?

    A bit of light reading for those that want to talk in an intelligent manner (in other words, no idiotic paranoid conspiracy theories):

    • RFC2373 [faqs.org] - IP Version 6 Addressing Architecture (esp. section 2.5, 2.5.1 and Appendix A)
    • RFC2460 [faqs.org] - Internet Protocol, Version 6 (IPv6) Specification
    • RFC2374 [faqs.org] - An IPv6 Aggregatable Global Unicast Address Format
  • 2. Windozers and Mac-heads don't know or care about the nitty gritty. Just insert AOL disk here...

    You probably ought not to make such sweeping generalizations, lest this particular Mac-head start making sweeping generalizations going the other way. I both know and care about the nitty gritty.
  • Don't be a lame skript kiddie, and nobody will have any reason to need your MAC address. It's not like it'd be incredibly difficult to figure out who's got what IP anyway.

    I really don't see this as a usurping of my freedom. Maybe I'm just not paranoid enough.

    - A.P.

    "One World, one Web, one Program" - Microsoft promotional ad

  • I don't see how, as others have said, this is any different from having your IPv4 address sent around the Internet in IP packets. Once there's a way of matching a name, face, and address with a NIC card, I'll become the slightest bit worried. Until then, I have more important things to care about, and, apparently, so does the rest of the world.

    This is not an outrage. This is not even invasive. Hell, you can change your MAC address most of the time. If you're worried someone will find it easier to catch you DoSsing others on the Internet, well, that's your problem.

    - A.P.

    "One World, one Web, one Program" - Microsoft promotional ad

  • I noticed a post that stated that there is no "database" for MAC addresses. I don't know if totally believe this. Every manufacturer produces a unique address for each card produced, thus guarenteeing that no repition will occur, especially since routers and switches cache and use the info heavily. So, how do they know who is making what MAC address? Also, a MAC address maybe easy to change, but how many users know how to do that?

    I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.

    The MAC address is implemented just like a serial number. E.g. Batch 1 gets MAC address 1-100. Batch 2 gets 101-200. There is no "database" that the company has somehow managed to compile that links your MAC address with anything resembling your identity. You think the stores they send these NIC's off to turn around and report back to the manufacturer with your identity and buying habits? It doesn't happen.

    Don't be so paranoid. Companies tend to only spend resources on things that will earn the company a profit. An internal database of MAC addresses earns the company absolutely NOTHING. The infrastructure required to create and maintain such a database for zero profit (or even useful market research, as MAC addresses are nearly useless for doing any real tracking) just doesn't seem like a likely thing for a company to do.

    In order for this to even be remotely successful, you'd have to get all of the NIC companies and the VENDORS themselves together on the conspiracy and have them all sharing their MAC addresses and databases of customers and buying preferences. This doesn't seem very likely.

    In fact, if someone wanted to track your Internet activity, it would be FAR easier for them to break into your ISP, track your dynamic IP addresses as they're assigned, and monitor your traffic that way.
  • by Anonymous Coward on Thursday October 07, 1999 @12:06PM (#1630887)
    [previous poster noted the journalist's attack on the way IP addresses are allocated by ARIN and formerly InterNIC]

    It sounds like the journalist or one of his good friends or family has been screwed by the address allocation policies of ARIN (and previously the InterNIC). I can understand his hate. I'm losing customers now, because I can't get more addresses. I lost a customer in August that would have had 40 offices connected to me via frame relay, because it took me over 6 months to get enough addresses freed-up to handle their machines. MIT and CMU have 16 million addresses each, and I can't get another address so I can connect another dedicated customer or another dialup port. @Home got 24/8, and they only have a couple of thousand customers at the time. His claims are unsubstantiated, but the frustration and hard feelings aren't. Even after writting a $5,000 check to ARIN for a /20, I still don't have one. That's more than I pay myself! ARIN claims they won't assign it because I don't need it. I'm using a /22 from MCI and 4 /23's from another provider. I qualify. I've spend almost 50 hours a week renumbering equipment over the past two years, because I'm having to reclaim blocks. Yesterday, I moved a customer with 29 computers from a 64 address block down to a 32 to free-up half of a class C for a new customer. When my old customer adds two more computers, I'm going to have to renumber them again. It's killing me. Rather than working on finishing my OpenSource ISP billing software, I'm forced to drive-out to customer sites, change router configs, and help change machines (or a single DHCP server, if I'm lucky). It's yet another case, how large businesses use their position and cash to screw-out their smaller competition. And, you complained that the journalist needs to back himself up...

  • by Wakko Warner ( 324 ) on Thursday October 07, 1999 @01:45PM (#1630892) Homepage Journal
    The IPv6 spec calls for 128 bit IP addresses. You know how HUGE that is? "wasting" 48 bits of it amounts to a grain of sand on a seashore, or a blade of grass in your backyard; it's absolutely immaterial. You've still got 2^80 IP addresses to play with -- that's 1,208,925,819,615,000,000,000,000 addresses even AFTER you've used up 48 bits with the MAC address.
    Hell, wasting even a few trillion addresses wouldn't mean squat.

    Once we start giving a few hundred billion IPs away in every cereal box or package of sports trading cards, I'll be slightly worried.

    - A.P.

    "One World, one Web, one Program" - Microsoft promotional ad

  • Then try:
    cat /proc/net/arp

    Of course, this will only show hardware addresses on your subnet, not of everyone you send and recieve backets from, but oh, well.
  • by JerseyTom ( 16722 ) on Thursday October 07, 1999 @12:27PM (#1630904) Homepage
    I'm disappointed that this article shows a basic lack of understanding about IPv6.

    I'm MORE disapointed that all the replies on slashdot show they underestand EVEN LESS ABOUT IPv6 Here's the issue: A host's IPv6 address will be 128-bits long. the last 48 bits are going to be the same as their Ethernet ("MAC") address.

    Therefore, if I plug my laptop in at work, it will have one address, and if I plug my laptop in at a Internet Cafe, it will get a different address. However, the last 48 bits of both addresses will be the same.

    Someone had the mistaken impression that the entire IPv6 address would stay the same no matter what. That's not true. That would make routing very difficult.

    Someone else pointed out that the Ethernet "MAC" address of a host can be changed in software. Yes, that is true for newer NICs. However, the average user will not know how to do that.

    So, the big issue is that other people will be able to trace a computer as it moves from network to network. In IPv4 one could trace an IP address back to a particular ISP or company... but then you had to rely on the local admins to break any confidentiality to get to the exact machine.

    With IPv6 if you catalog the last 48 bits of all the hosts that connect to you, you will eventually be able to coorelate where hosts are moving.

    Is this a requirement of IPv6? Not really. This was done to make host configuration without DHCP possible. (There is a DHCPv6, but it only adds features to the native host configuration "AutoConfig" stuff built into IPv6). A IPv6 stack could choose to pick random numbers instead of using MAC addresses. It would just be a simple matter of programming.

    Oh, there is one more point I'd like to debunk. That IPv6 development is U.S. Department of Defense funded. Well, they fund a little of everything, so don't get all worried. Heck, they funded the original IPv1 thru IPv4 development too. So deal.

  • An internal database of MAC addresses earns the company absolutely NOTHING.
    But if that MAC address can be used as a globally-unique key to identify a machine (and, in all likelihood, its regular users), it becomes even more valuable than a cookie.
    In order for this to even be remotely successful, you'd have to get all of the NIC companies and the VENDORS themselves together on the conspiracy and have them all sharing their MAC addresses and databases of customers and buying preferences.
    No, all they have to do is build up a profile of access patterns for each MAC address, which builds a picture of the user(s) of that computer; even if you succeed in remaining entirely anonymous or pseudonymous, every access can be related to every other. The first time you do anything on the Net that associates that MAC address with your name, all of your past anonymous and pseudonymous activity is instantly "outed" (and all of your future activity ditto).
    Deja Moo: The feeling that
  • by Anonymous Coward on Thursday October 07, 1999 @02:17PM (#1630914)
    In response to the previous comments, the first half of the MAC address is assigned by an authority to hardware manufacturers. There is also a bit in the first half which designates the MAC address as locally assigned or globally assigned. Beyond this, pretty much all cards will allow you the change the MAC address (Hence the local vs globally assigned numbers). This is not an invasion of privacy, since no one can track the specific MAC address to a particular person. * The invasion of privacy is when this part of the IPv6 address is used to track an individual, which is much more effective then tracking IP's, as they are usually dynamicaly assigned *
  • As if every packet you ever send out cannot be traced back to your machine already? Yes, this would make that task so much simpler.

    I will point out a massive technical inaccuracy and oversight... the MAC address is not "embedded in your hardware". Sun ethernet cards don't have MAC addresses anywhere on them -- it's generated based on the hostid of the machine (which is very easy to change in the PROM) _AND_ ifconfig supports SETTING the MAC address. It's certainly not etched into the silicon. In most cases, it's trivial to change the address stored in the card's EEPROM.

    "Permanently." Are you certain of that? I don't know about every other network card on the planet, but I've never seen one with any carved stone on it.

    Gee, maybe EFF and others aren't on the war path because this isn't a problem.

    IMO, the author is being a bit of an alarmist here. Why is it people always foam at the mouth about "internet privacy" when they already leave enough of a paper trail for a hamster to track them from another planet? How many credit cards do you have? Do you have a social security number? Do you own a car? (Look at the bottom of your Mountain Dew can some time.)

  • by Anonymous Coward on Thursday October 07, 1999 @02:51PM (#1630938)
    There is no requirement that the lower 64 bits of an IPv6 address be your EUI-64. It's merely one possible method of generating an address. This columnist should do some research before he writes.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.