Slashdot Mirror
Are There Still Privacy Concerns With IPv6?
Zanguinar asks: "Whatever happened with the privacy issues in IPv6? I recall there being a small uprising by privacy advocates and even this article on Slashdot. However, I don't recall ever hearing more about it. What has the response from IETF and IANA been? Did they do something about it, or just dismiss it as unimportant? I cannot find anything recent (i.e. in the past six months) regarding this. With the news that some companies may soon begin using IPv6, I'm a bit concerned..."
Oh god - more crap from somebody that doesn't know what they are talking about. Please read the fscking IPv6 draft before posting!
..."
Buy nothing from any vendor that forces your to use the MAC address option
Doh - the other end can't force this - you can either say "use my MAC address to construct my address" or "use something else like this random number or address server
Buy nothing from any vendor that turns the option on by default
See above
Buy 4 NICs and switch them once a week, confusing the HELL out those bastards tracking you
Learn how a computer works! Just change the MAC address on the same nic, cheaper, quicker, easier.
The reason MAC addresses are used as the last 64 bits in the IPv6 address is to scrap ARP ip->MAC resolution. for PPP/SLIP or tunnel users is generated from random and so can you do and change your MAC using 'ifconfig' then you want to. IPv6 includes security functions for end-to-end authentication and encryption of payload data including headers using md5, sha1, 3des, rsa, rc5, blowfish, etc. So its way more secure than IPv4.
Your concerns are fully addessed by this slashdot article. --Doug Moen
The privacy concerns with IPv6 are really no greater than with IPv4. Yes, even with the IP address possibly tied to a MAC address (which, I might add, it does not have to be). Think about it...
1) Your MAC address is already embedded in every single packet going out of your Ethernet card, no matter what protocol you're using. It's the way Ethernet works.
2) MAC addresses are handed out to companies or individuals in huge chunks. The body that does this has no way of tracking right down to the user, only to the card manufacturer. If you're really concerned, pay for your NIC with cash and don't register it with the manufacturer.
3) MAC addresses are configurable with most card/stack combinations. So chances are you can change your MAC at will.
4) The IPv6 address is not necessarily tied to the MAC address. There are other ways to do it.
5) If even these aren't enough for you, please remember that services like Anonymizer still exist.
6) One feature of IPv6 is security. In order for transmissions to be secure, they have to be verifiable for obvious reasons. In other words, if you want to have truly secure communication, you have to give up some measure of privacy, just enough so that you can be verified as the intended recipient. Conversely, you can have private communications if you want them, but in doing so you lose all semblances of security because there's no way to verify who's on the other end. It's a tradeoff; take your pick.
7) It's an outright fallacy to think your Internet communications are currently truly anonymous. Even under IPv4, you leave a trail of "mouse droppings" wherever you go, and these can be traced straight back to you if the hops in the chain are willing to cooperate (you can foil this by using things like Anonymizer, who won't cooperate, but this will be no different in IPv6).
So yes, you might say there are potential privacy concerns with IPv6. However, they're no greater than those already in the IPv4 system we've been using for many years, and they're just as easy to circumvent if you truly need the extra measure.
----------
Hang on, where did aphor say anything about "systematically rebalancing economic power away from the owners of the means of production"? He's talking about the basic old supply-and-demand stuff that assumes the consumer has as much market power as the producer - which is rarely (and decreasingly) true these days.
I miss Meept.
Point taken, but that's still got nothing to do with Marx or a system that rebalances power away from the producer.
Ignoring the fact that I've forgotten who said it, the issue is that consumers have less power in the market than they used to have.
I miss Meept.
As the IETF pointed out, this is a optional implementation, but not a requirement of the standard.
--
Why pay for drugs when you can get Linux for free ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Statement on IPv6 Privacy Concerns
--
Why pay for drugs when you can get Linux for free ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Summary: "Don't gripe that IPv6 is insecure, since IPv4 is insecure also."
Is that what you really mean? It certainly seems so.
Just because there are [whichever] problems in the status quo doesn't mean that [whichever] problems need to be accepted in future "improvements" in the (future) norm.
Changing an insecure model to a new model is the optimal time to fix the insecurities.
(Why isn't this self-evident? What am I missing here?)
"whether you like it or not"
It truly amazes me the number of people who respond to the outrageous by saying "So what? That's reality."
To use a (United States-centric) analogy: In the sixties, many persons decried the existence of racial injustices, such as "separate but equal" restrooms, white-only lunch counters, etc. And many "negroes" (to use the term of the day) reacted to the protests of their peers saying "That's just the way it is; you will never change it. Be quiet and accept it rather than irritate the oppressor."
It was only *because* people refused to accept the unacceptable that change was made (albeit slowly.)
The same could be said of almost any social justice issue, not just racial matters. Change came only because people did *NOT* _tolerate_ the unacceptable.
Why do people tolerate privacy invasions? Why do people tolerate the erosion of their basic rights? Why do people tolerate anything that they perceive to be unfair or inapproprate?
It scares me to see the trends in this society. ("Sheeple" irritate me, regardless of whether the term is cutesy or not.)
Why is "...then DO something about it!" no longer an acceptable response? :-(
I've never heard of 'mac translation', but there's no performance loss when using a mac address other then the one in your cards rom. At initialisation time, the driver basicly loads the mac out of the rom (from the networkcard) and gives it to the little controler-chippy thing on the network card. It can just as easily give it another mac, the procedure is exactly the same. Try:
ifconfig iface ip netmask netmask hw ether mac-addr
This is for linux, I'm not sure freebsd's ifconfig supports setting the mac, it doesn't appear to know the hw param.
What you might be thinking of is a not-so-subtle hack to pretend to have multiple nic's on a single network, where you put the nic in promisc mode, and then do the filtering of incoming packets in software. This is quite a bit slower than doing it in the hardware on the nic, but has the nice sideeffect that you can have as many mac's (and thus give them each an ip, and thus have them appear to be different interfaces) as you want.
I think you're confusing it with multicast, which appears to do some promiscoid stuff... However, If you could give some evidence of your claim... (source linenumbers would be nice).
It was no biggie in the first place; simplys stating that, as an option, a network could choose to use the last 48 bits of their address space by simply using the mac address of the respective computer. Darn good idea, ensures unique space, makes management easier.
Not at all necessary, or required.
That's basically exactly the logic they used. And you can also change your mac easily.
They didn't want your mac to change just because your network card blew up.
Kudos to them.
Land Of The Free.
As I found out when I put another NIC into my Sparcstation 4 (currently doing its job as a firewall/NAT box). I was quite surprised to discover that both NIC in the SPARC -- built-in and the card -- had the same MAC address. I started worrying and hit Google.
It turned out that on SPARCs (at least older ones) the NIC do not have their own MAC address -- they get theirs from the motherboard! So if a machine has two (or more) NICs, they all have the same MAC, which is really a motherboard MAC.
I think the Sun argument was that multiple NICs are likely to find themselves on different (physical) networks, so having the same MAC address for all of them was OK, and it probably saved five cents somewhere.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
That sounds like it was lifted from the back of my original (U.S.A.) Social-Security card.
We all know how long THAT promise lasted...
--- Mercutio was right.
Notice they don't say that anymore?
:-(
Get a new one and check it out
--- Mercutio was right.
I don't think there is a 'manufacturer-field' part of the MAC. It's just that the numbers are given out in large blocks by the Grand High MAC council or whatever it is. Might be wrong though.
MAC = Media Access Controller a MAC address is simply your address on the ethernet.
-- Tim Buchheim
I wouldn't worry too much about your MAC address being exposed. There are much better ways to track what people are doing, and to combine the information that is gathered about you.
You can store a unique personal number in somebody's cookie, and use that to track what they are doing. This is especially powerful in combination with big banner ad servers: the ad server reads your cookie, and combines this information with the URL the banner ad was on. This information can even be augmented with data (like your home address) that you fill in on web forms, assuming that the site owner is willing to sell that kind of data. And why wouldn't they?
The banner ad doesn't even have to be visible for this purpose, it can be a 1x1 pixel transparent gif.
Most users arn't concerned with privacy anyway; lets face it, 99.9% of all users are not doing anything illegal anyway.
What has privacy got to do with illegal activities?
There are a lot of completely legitimate reasons for wanting privacy.
Also, don't confuse privacy and anonymity.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
This is almost exactly what AT&T's Crowd's does. Haven't heard anything about it in ages, but this is what it does. No link handy at the moment, unfortunately.
Static IP won't be the norm, it's a pain in the ass to manage.
Probably less of a pain, certainly it would be the end of whole ISP's being blacklisted because of a single jerk or spammer.
Really mess up people's log files :), each time you hit someones site you would be showing up as a different unique user for every page and image you got...
~ppppppppö
Check the Internet Draft "Privacy Extensions for Stateless Address Autoconfiguration in IPv6" draft-ietf-ipngwg-addrconf-privacy-03.txt
I, for one, will NOT support dynamic IPv6 addresses in any software I write. The last thing I want is another trend where ISPs get away with giving you a dynamic IP and charge you extra if you want a real (static) IP, and calling it a 'privacy feature'.
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
So can a dedicated person with adequate resources. I, personally, LOVE the idea of global, static addresses, because it means we can finally make use of purely peer-to-peer protocols, rather than the horrendously kludgy client-server protocols we use now.
(Example: All our internet pagers could have long been replaced by SMTP.)
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
>Whether you like it or not, everything you do is being monitored anyway. It's just how America works.
I'm not in america, and have no intention to be. luckily, this is not how most of the world works. please don't go stuffing this monitoring down the world's throat just because some american companies may want to. the net doesn't end outside the US.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
actually, I do give a shit. I don't want a net ruled by companies based on american laws practically written by those same companies. IPv6 will be adopted worldwide, so this is a worldwide issue. discounting certain problems with IPv6 because 'that's how america works' is shortsighted. Or do you want it built in the protocol to inform a government database when you view subversive information, cos that's how <insert favourite tyrannical country> works?
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
>If you aren't willing for it to be YOU saying it in public, then you quite possibly shouldn't be saying it.
unless ofcourse you can get killed for saying what's on your mind. This may not be the case in the US, but anonymity can be really important for political dissidents. If the US is justified in requiring everyone to identify themselves at all times, than so are other governments.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
If you want privacy, don't use public forums/exchanges/etc. Same thing goes with the "real" world. If you don't want people to see you have sex, don't do it in Time Square or Central Park. To take what people think privacy should be to the real world, you would have some means of completely disguising your identity, so that you could have sex in Central Park and have it be "private." Anybody with a brain, however, would realize that you aren't doing it privately, only anonymously. We are not guaranteed a right to anonymity, and I'm not entirely sure we should be able to be anonymous in a public forum. If you aren't willing for it to be YOU saying it in public, then you quite possibly shouldn't be saying it. If you should be saying it, you should be working against the forces that make you uncomfortable voicing those thoughts as a human being, not fighting for your right to hide.
Sad to say, neither does monitoring of what you do online. If you think people in your country (whatever it may be) aren't monitoring you.... Well, all I can ask is, "What is the speed of light in the little universe you are in?"
We are all in danger of losing our privacy.
www.eFax.com are spammers
However, most cable modems don't pass your NIC's MAC to the network, rather they pass their ID. It is almost certainly possible for the cable company to track your MAC address, however I've had no luck tracking the MACs of the jackasses who probe my system.
www.eFax.com are spammers
Users can arbitrarily change the MAC addresses on all modern cards without too much trouble. They might be able to figure out what mfr your NIC card is if you've not changed it, but I don't think we'll be seeing black helicopters descending on your house.
Besides, a simple ARP request will get a person's MAC if they're on the same subnet (or there is a machine configured to forward packets between two subnets, beyond that). I think this is more an issue of people not having a clearer understanding of what's in their computer, and how it can be (mis)used. Hey, if I know your IP address and have a time, I'm just a subpena away from getting all the information your ISP has on you. Is that a big privacy concern? Not really.
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
There's not really a whole lot you can do about that (Maybe use an anonymizing proxy to hide the originating address.)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
This doesn't make sense to me.
(just to recap) Company X wants to make sure that only registered or correct boxes are using their VPN product. They do so by validating the IPv6 address which contains a variable portion (the provider address) and the mac portion (the network unique portion). So the VPN box in question strips out the MAC portion and goes to some table it contains which has EVERY SINGLE MAC address registered by the company using the VPN. Besides the obvious logistic problems (how is this table constructed). This is entirely spoofable. Let's start with the obvious - resetting your mac address to on allowable by the VPN software. Now if we're buying this box why can't we just waltz over to it and change the table? Or use linux or bsd and change your IPv6 address whenever you feel like it (for reverse engineering purposes).
What is this mysterious "MAC algorithm" doing? Hashing your MAC address? Using a different has with the new box? Or are they setting your MAC address for you? What you seem to be suggesting is that company X can force a buyer to use a IP address. It doesn't matter if it's derived from the boxes MAC address or some other randomly selected source.
gid-foo
I believe there is a performance hit when enabling MAC translation. I've not used it so I can't commment on how much of a slowdown there is though. -Pete
It wasn't so long ago that Intel was roasted over an open fire for embedding unique serial numbers in their CPUs. No matter how high and lofty their proclaimed goals were, we saw it as an easy way to track people. Even Amnisty International protested.
Now, we see the emergence of the IPv6 protocol attempting to use the embedded supposedly-unique serial number (MAC address) of your NIC. Currently, we believe these numbers can only be tracked to a manufacturer. In time, this can change. If there is the proper political climate, it will.
DHCP isn't perfect. The arbitrary assignment of an IP by your ISP can be traced- but it takes a subpoena and reasonable grounds for obtaining the information. By connecting the number you receive to something on your machine, you effectively remove the ISP as an IP broker. The result is your privacy just became that much easier to thwart.
-Ouija-
-Ouija- poke 53280,11:poke 53281,12
Even with dynamic addresses, you cannot prevent "spywares" (say, those creates their own ID) or those nasty 1x1 GIF that tries to identify you, unless you run a firewall of some sort that filters outbound connections.
I don't think IPv6 can address this...
This is a federally regulated government form. This form must be submitted, in writing, completely filled out, before your newly born child turns one (1) year old.
As technology has become increasingly pervasive in our lives, it is now necessary to apply for a IPv6 address as well as a social security number. Your newly born child's IPv6 address will never be used to track or collect data, nor should it be used for identification purposes. The IPv6 address is there only to guarantee access to the Internet at large.
Please note that an e-mail address in the form of first.middle.lastname.cityname.statename.zipcodena me@usps.com will also be issued with your social security card. (Please note that the address is @usps.com, @usps.org. The US Government is not happy with the .org designation, as it tends to be used less often as the .com designation.)
Thank you for your continued tax payments.
Welcome to the New World Order.
My reality check bounced.
That was the point. :-)
:-)
I was hoping to get a +1 Funny, but..
-- Talonius
My reality check bounced.
Privacy is in the eye of the beholder.
Got Rhinos?
Got Rhinos?
I don't think anyone disagrees that tracking people by MAC address gives the supply side an edge in their marketing powers. What I think people are concerned about is the worst-case scenario of a more solid, focused, revenue model.
Adam Smith capitalism is supposed to be consumer driven, but lately we've been seeing power shift to the producers. That gets dangerously close to fascism when you see how government involvement plays in.
--- Nothing clever here: move along now...
Company X has a neat to VPN box for the SOHO. To make sure that their VPN boxes are only connecting to each other and not to someone that's trying to reverse engineer them, they use the MAC address as well as the IP when connecting. This allows them to have decent planned obsolescence. Change some MAC algorithm and voila, can't use old box with new box and new box's feature set.
This is transparent to the end user, unless you try to VPN to the cube with your Linux/BSD/BeOS box and it refuses to connect. Then you realize that the MAC portion isn't optional. A company throwing stones in the path of the reverse engineer, and trying to lock a customer into their product alone could find some uses for the MAC in IPv6, and would NOT make it optional
This is just one example that I came up with AFTER I read the spec the FIRST time around.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
- Buy nothing from any vendor that forces your to use the MAC address option.
- Buy nothing from any vendor that turns the option on by default.
- Buy 4 NICs and switch them once a week, confusing the HELL out those bastards tracking you.
- Fight any proposal to change that option to a requirement.
- Scan the net a bit and use an open proxy server to surf through (obfuscation attack?)
And of course my favorite; wear a latex suit and wrap your head in aluminum. This totally disgueses your actions on the Internet and makes you totally anonymous.PS priacy starts at home, is your phone number listed?
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
While us techies will have no problems, what about the ordinary people.
The first time I parsed that I read I cannot seem to locate my penis.
Bobbitt!
:wq
I suppose I should just read the old article. ;)
I'm not wrong, I simply said "many people don't use ethernet to connect to the net." And that stands as truth. The majority of casual net users world wide connect through conventional modems.
Ethernet won't last long, anyway. I'd say about another 5-10 years and it'll be almost extinct. IPv6 will still exist, however, and that's where the problem lies; in using mac addresses to form IP addresses.
Anyway, my point is that using hardware as part of a universal protocol is a stupid idea.
because MicroShaft likes to use it as a unique identifer which shows up in lots of documents that you create
I'm sorry, but this is not a Micro$uck$ standard, but an OMG [Object Management Group] standard. It started with their RPC standard.
That's funny, and a good idea to boot!
It might be better given the weird state of the laws in the U.S. though to use something like, 'IPPrivacy Inc.' or something similar. The ever-popular Acme brand ethernet adapters would work for Wile E. Coyote, why not me?
This is an ex-parrot!
The real Slim Shady.
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
The software in question routes all HTTP requests along an anonymous route of Freedom servers. Only the last and next hops are known to any server in the route; the destination node doesn't know where the request came from, and the intermediate nodes don't know the destination or the source!
In addition to this, private email is included.
that's where the problem lies; in using mac addresses to form IP addresses.
This idea is screaming, "LAME!" MAC addresses are only 48 bits; IPv6 allows 128 bit addresses. If the IPv6 designers thought 48 bits would be enough, they should go back and listen to Bill Gates say, "640K of memory is all anyone will ever need." They should look at our current 32 bit addressing scheme. They should look at me, connecting over a 14.4 modem.
wrt DickBreath's reply, I don't know what'll replace Ethernet... but I envision going back to coax and using broadband on it (instead of baseband.) If you can cram video information for 50 cable channels on it, it should be reasonably high bandwidth.
-- LoonXTall
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
I promise you that it isn't, and Adam Smith agrees with me. The idea of systematically rebalancing economic power away from the owners of the means of production is one that only arrives after Marx, let alone Smith. And I think you may be working from a wonky definition of "fascism", too.
-- the most controversial site on the Web
You'll find this assumption nowhere in Adam Smith; the perfect competition model basically comes in with Samuelson, or with Debreu and the Lausanne School at a pinch.
Adam Smith was an actual person, who had a very specific view of political economy. He wasn't a minor pagan deity to be invoked in support of any random argument you might care to support with a vaguely free-market flavour.
-- the most controversial site on the Web
this is not a first post.
just wondering how is this worse than ipv4?
The coffee god lives!
Some people do not use NIC with MAC address (dial up users) so that part of the spec must be optional.
My roommate happens to run ipv6, and i can *assure* you the issue over the MAC address inclusion is far from the truth. Parts of the MAC are used in the address, as well as probably the last 2-3 fields. You can't possiblly track a NIC down with that information. A MAC has 2 principle parts: a manuafacturer ID (the first 2-3 fields) and the variable part (the rest of the MAC).
This is the general case, since depending on the OS, your MAC could be read differently.
You can even kernel hack it in Linux to create a different MAC! (someone I know did that and changed their OS to report '00DEADC0FF33' as the new MAC).
All of this variability and recombination makes it very difficult (if impossible) to deduce the MAC from the ipV6 address. The other hex parts of the address are generated on the fly anyway, when you get assigned your address after boot.
Hmmm. This got me to thinking.
If you change your MAC to mask your identity, you should change the manufacturer-field part of the MAC to indicate that the manufacturer is something such as:
I'll see your senator, and I'll raise you two judges.
When using the telephone, you usually don't want/need to be anonymous.
:-)
The Internet is used in an entirely different way and for different purposes. Entertainment device. Shopping. Posting trolls and flamebait. Cr/Hacking into Slashdot.
I'll see your senator, and I'll raise you two judges.
But even then, the ISPs may go to fixed IPv6 blocks for customers, so changing your Ethernet MAC address won't be enough. They can simply track your entire LAN full of computers through your prefix address.
Now, there's nothing that says you HAVE to use your MAC address for the low 48 bits, it just has to be unique, and that's (supposed to be) a unique identifier. (Though I have heard tales of runs of Ethernet cards with identical MAC addresses in their PROMs.) But even if you go changing that around, you may still have the same prefix assigned by your ISP every time your connect, and you can be tracked with that.
So the ISPs still need to provide a DHCP-like protocol to allow you to have a (somewhat) random prefix. But they don't have much incentive to do so, because 80-96 bits is so large, they won't run out of IPs. Right now DHCP and PPP automatic address assignment is so important because IPv4 address space is tight, and if you have a 10-to-1 modem pool, you only need an IP block large enough for your modem pool and your maximum expected number of customers who disconnect their computers when they aren't using them.
And again, even if they do, your computer could still be using the same MAC address with every prefix. So the MAC address isn't the whole problem, but it seems to be the bigger problem, because it will normally be assigned by the user's machine.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
The MAC address has absolutely nothing to do with Apple Computer in Cup-of-tea-now, right?
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Don't flame, just wanted to make sure that Steve Jobs didn't proprietarize yet another piece of networking. BTW, what exactly does it stand for? (and I never took Networking yet; I learned all I know about TCP through experience. So don't be so arrogant as to criticize the professor of experience; he will smite you someday.)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Hmm, any one want to sign-up with zero's ISP. One high-speed 56k dail-in (323 area code in the usa) and one 1 gig of web space. hell you send us a linux box and I'll put it on the network which has an ADSL.
When I was a boy the goverment stole everything from us.
Those aren't compiler warnings; they're suggestions.
What we need is a program that will automatically change your mac address as it is sent in predetermined intervals. I am not a programmer so I don't have a clue how something like that would be implemented. Tracking you with it would be very obsfucated if it changed every day, or even every few minutes.
Another IP address to add to my list
The privacy concerns you are talking about is embeding mac addresses into your ipv6 address something thats entirely optional. there isnt any privacy concerns with ipv6.
That was my first post ever, and this is my second!
Have you flamed SpanishInquisition t
Prozac?
Have you flamed SpanishInquisition t