Where's All The Outrage About The IPv6 Privacy?

SyntheticTruth writes "It seems the specs for the IPv6 standard use the 48-bit NIC address as part of the unique IP address, which can be used to trace packets back to the user's computer. " The story is asking why people don't seem to care about something which is gonna certainly raise privacy concerns.

Re:this guy obviously has a huge chip on his shoul

[quadong]

/12 means that they have a block that includes the last 12 bits of the address. So they can have 2^12 addresses. I'm not sure how you say it: "slash twelve"?

Re:Ignorance of IPv6 is amazing!

[quadong]

I agree, all bold does not help clarify anything, it just makes it hard to read.

ARP

[Inoshiro]

First, I'm not suprised that the only people who seem to be flying off the handle and getting scared about their MAC addresses showing, are those who are not technically knowing. "It's just like that Microsoft DOC thing, show your MAC address! That was bad, so this must be, too!"

This reminds me of the logic in the Coffee RFC ( http://www.ietf.org/rfc/rfc2324.txt ) : "HTCPCP is based on HTTP. This is because HTTP is everywhere. It could not be so pervasive without being good. Therefore, HTTP is good. "

Flawed logic.

On to the technical side:

Since 2^128 is a ludicrously large number, and since we can get by on 2^64 (another ludicrously large number) of IP addresses, they have simply stuck the MAC address in the remaining bits (my interpretation).

Why is this not a problem?

You can always find someone's MAC address if you use an ARP request across an IPv4 network.. Heck, it's how IP works! You need a static address (like the MAC addresses), and you need a logical address (like the IP addresses). There's even a higher abstraction, that of the domain name.

Why is this good?

By including the MAC addresses in the header, you can (hopefully) reduce a bit of router load, make transport of packets easier and more logical from the code side, reduce the incidences of packet spoofing (maybe). This is very different from a "machine fingure print" that is stuck in say an MS Word document. How so? There's no need for a document to have an ID that tracks back to the computer that made it, while there is a very logical reason for network cards to have MAC addresses. Have any of you read the IEEE specs for Ethernet packet transmissions? Yes, MAC addresses have been "visible" for a long time already. It's how network works.

Now, I don't think dialup people will be affected, as they are networked a different way (ie: not via MAC addresses). The same holds true for ATM and ISDN (which use different underlying network designs).

Conclusion:

This is as much a privacy concern, as your own licence plate number is. "Oh, no! They can track where I drive, where I shop, what movies I see, whose houses I visit!!" ... Maybe, but you still have a licence plate on your car, and your network cards still have MAC addresses. If it bothers you so much, switch to ARCnet, or use dialup only.

Re:IPv6 and privacy

[R.+Anthony]

What's to prevent Government Agents from Seizing ISP records that link their client bases' MAC address & Billing/personal information? This is already possible under provisions of the National Security Act, which supercedes laws requiring warrants prior to search and seizure.

If your MAC address is embeded in your IP number, and the the Domain name of your IP address is also embedded in your IP address, how could it be any easier to trace you?

For all you AC posters, how bout same agents seizing all the sys logs of /. which_already_record your IP address.

- mourning the late great 4th Amendment.

Re:Oh, the horror!

actually, you can change the MAC address of your powermac...just stick a new resource into your enet driver. How about that?

Traceability of IP Addresses

[tqbf]

IPv4 addresses have no accountability because
they aren't authenticated. While it is possible
to "trace" an IP address to its source in real-
time in some circumstances, doing so is nowhere
nearly as simple as you're making it out to be.

The obvious issue here is address spoofing, since
nothing prevents an attacker from sending out
a packet with an arbitrary source address. While
there are issues with doing "full duplex" spoofed
transactions (the Internet will normally route the
responses back to their true source), this is
not an unsolveable technical problem.

There has been work done in the recent past to
faciliate traceability of unauthenticated IP
packets. The insight is that you can trust the
routers (at some level in the routing hierarchy).
The routers can identify and cache the interface
on which each distinct IP address arrives. You
then just need a recursive query protocol to
trace the address backwards hop-by-hop until you
get a reasonable approximation of where the
address entered the system.

But if the point that you're making is that the
privacy impact of IPv6 address assignment schemes
are irrelevant because you have no privacy NOW,
I agree wholeheartedly. Anonymous forwarding/
proxy systems are the way to go; the amount of
work it takes to make a truely anonymous network
is significant, and neither IPv4 nor IPv6
does anything to address that.

Re:Let me place your foot in your mouth

[soellman]

Well, now I don't run Linux all the time anymore, but I'm not sure it >can't be compiled into the kernel. MAC addressing is an integral part of ethernet, so at some level your machine knows the hardware addresses of all the machines on the local network that it's talked to recently. Try pinging yourself and then do an arp.

But let me just say I don't know for certain, but it really seems to me that you don't know that you don't know. Got that?

why can't we all just get along, d00d?

cheers,
-o

That's how @home is...

With cox@home service, if you reset the cable modem, it will 'learn' the new ethernet address. I swapped ethernet cards on it 3 times; just pushed the reset button on the back of the cable modem, and it worked again.

I have DSL now; my ISP demanded to know what my ethernet card address was, but just to see if it really mattered, I changed it and everything still worked fine.

Re:Let me place your foot in your mouth

[koax]

arp has to be run as superuser.

Re:Let me place your foot in your mouth

[Craig+Davison]

arp has to be, and always is, in your kernel if you use IP networking.

you're probably thinking of rarp.

Re:Let me place your foot in your mouth

I dont even have a /proc

Privacy Issue?

Surely when you agree to undertake a connection agreement with a company the operative word is agreement. You enter into an arrangement with your provider in exchange for certain "considerations" from yourself. If one of those is the fact that you have to have a traceable address, so what? Mind you ... I am looking forward to the day when the privacy lobby gets around to the issue of credit cards, I am looking forward to my anonymous AMEX, after all they know exactly where I have been spending all my money!

Street address

[Mr+Z]

The school I went to used to use room-number as your address. Privacy concerns led to them switching to a mix-and-match DHCP randomization that decoupled names from rooms. Although annoying, it was probably a good thing.

--Joe
--

MAC Addresses - where they come from

[Dave+Fiddes]

MAC addresses are handed out by the IEEE. They will give you a block of 24 bits of address space for around US$1500.

Like IP addresses there is an area in the address space set aside for private use. It is possible, if not entirely sane, to reconfigure an entire LAN... Don't laugh, I've heard of people doing this! I can't remember the rules off hand though... ;)

Modifying MAC addresses is really simple not matter what age of NIC you have. Most NICs store their MAC address in a small lump of EEPROM on older cards this is just plain old PROM.

When a driver starts up it gets the ethernet address from the PROM and loads it into a set of station address registers in the NIC. There is no obligation for the driver to load the address it gets from EEPROM or even for there to be an EEPROM! This feature is regularly exploited by embedded systems with ethernet which store the MAC address in FLASH or some other multi-use NV storage to save money.

What I'm getting at is that it would be really, really easy(if Linux doen't do it already) to allow users to specify a new ethernet MAC address if they felt paranoid. Given the ratio of address space to LAN size you could even produce random MAC addresses at startup if you were paranoid enough.... Of course there are smarter mechanisms for doing this as other posters have pointed out.

If anyone has a burning desire to have a very small amount of official ethernet address space then drop me a line and I'll see what I can do (HW manufacturers only!)

Re:MAC Addresses - where they come from

[w3woody]

I do know on the Macintosh, you can set a 48-bit resource in the System file with a new MAC address--if the resource is present, that address, and not the one stored on the EPROM on the motherboard of the Mac, will be used as the card's MAC address.

(Forgot which resource that is--don't have the docs in front of me...)

Re:I'll give you $10 million if you can find me!

[davek]

point. but the biggest problem is what if someone was looking for you? What if the FBI had caught wind that you were planning to bomb the white house and they saw that you were reading alt.explosives 20 times a day?

-davek

Re:It doesn't matter! (Real world example of why)

What's funny is when I send a fake scan from your dns servers, wins server, pdc/bdc, smtp/imap, kdc, your favorite irc server, and other fun hosts, and watch you 'automically' drop my route. (I had a lot of fun with someone who did this the other week. ) "Huh?"

Re:Toasters

Isn't more than 256 routers in your home to get to your toaster a bit much? :)

Re:Question..

[aenea]

If I remember correctly, you, the IP consumer, only get about 64 bits to play with. The first half of the addresses goes to identifying packet types and providers and stuff. You can't just choose a random 128 bit number and expect it to work.

Re:Oh, the horror!

Ethernet cards are cheap, yes. Software to change the mac address without changing ethernet cards is free. This is a non-issue.

Re:Not an issue

Yes. It will have to be DECnet-V though. And guess how DECNET-V addresses are assigned?

You take your MAC address, and add a prefix from the nearest router...

Gee, looks like DEC have been infiltrated as well!

Wouldn't this break filtering network switches?

Anybody thought about the possible implications of IPv6 and smart "filtering" switches?

A switch is a smart hub that only forwards the packets to the connector where the destinator sits, rather than broadcasting it to all connectors like a dumb hub would do.

Now, how does the switch find out where which computers are connected? Easy: it looks at the originating MAC addresses of the that come in through the various ports. For example if a packet singed with the MAC address 01:02:03:04:05:06 came in on connector 7, the switch would know that the computer with that address sits at that connector. If later on the switch got a packet intended for 01:02:03:04:05:06, it would know that it should forward it to connector 7.

However, obviously this only works if the first communication comes from the machines, rather than going to it. Fortunately, for IPv4, this is always the case. Indeed, suppose that the machine at 10.0.0.1 wants to talk to 10.0.0.2. Before being able to open the connection, 10.0.0.1 must find out the MAC address of 10.0.0.2. It can find this out using the ARP protocol. This protocol basically consists of sending out an ethernet broadcast packet asking "who has 10.0.0.2". As it is a broadcast packets, the switch sends it out to all its ports. When 10.0.0.2 gets the ARP request, it replies by replying "I have 10.0.0.2" to 10.0.0.1. 10.0.0.1 now just needs to cull out the originating MAC address out of the packet and it is set.
However, in addition to this, the ARP reply also passed through the switch, which dutifully noted at which connector that MAC address sat. The beauty of all this is that it works without the hosts needing to know that it happens, and without the switch to know anything about TCP/IP.

Now, with IPv6, things change a bit: in order to find out the MAC address of your peer, you no longer need to send out ARP requests: you can just cull out the lower order bits of the IP address, and you're set. But the network switch now no longer knows to which port the packets should be forwarded, and we might see lots of interesting failure modes...

Re:So what?

[Tet]

Sun SparcStations hold their MAC address in a NVRAM

Yes, they do, which is wrong -- what happens when you have multiple network cards in a machine? The answer is that Sun violates the standards, and has a MAC address per machine rather than per card...

Re:Not nightmare - or security hole (for linux use

Assuming, of course, that you wanted layers two and three to have exactly the same properties, or you wanted to buy every ethernet-capable device on your LAN from the same vendor. And even that doesn't guarantee anything - here at 3Com, every time we buy a new company, we get a whole new range of MAC addresses.

Re:Why hasn't this been a big deal?

it's for autoconfiguration, and it's harmless. EU64 is a good thing. Read the RFCs before spouting ...

Re:So what?

[vr]

However, since you can't really modify MACs, it could be as evidence in court to show who you are.

AFAIK you can modify the MAC on your ethernet card just by fiddling around with some jumpers..

Re:Let me place your foot in your mouth

[orabidoo]

sure, you can open TCP/IP connections. you can't use path MTU discovery though, so your connections are going to suck.

Re:Even in windoze

[plague3106]

Little off the subject, but i was told when i got my cable modem if i changed ethernet cards to reset the cable modem, then it would forget the MAC address and get it again.

Re:Let me place your foot in your mouth

[orabidoo]

wrong.

$ arp Address HWtype HWaddress Flags Mask Iface bingo ether 00:A0:F9:00:99:89 C eth0 $ ls -al =arp -rwxr-xr-x 1 root root 29000 Mar 25 1999 /sbin/arp*

damn, now you know my router's MAC address. now every spook and hacker out there is going to trace me!! *runs screaming*

no more cookies

[twl]

makes doubleclick's job easier i guess

Re:This is kinda quiet...

let's think about this for .25 seconds.
The most hops I've seen in traceroutes is something near 25 to weird 3rd world countries. So assume in order to increase average numbers of hops to 3 times that, or 75, there would have to be a network of the complexity of the current internet inbetween each person and their ISP. Now imagine this new global network. It's really fucking complex. Now do this excercise over. We now have 225 hops to just about anywhere, with an incredibly complex network for the backbone and an incredibly complex network between you and your ISP. I don't think this would happen even with IPv6... the infrastructure necessary to have more than 256 hops between two computers on the internet would cost an incredible amount of money, and that's just not going to happen for at least a few decades. By then, who cares if we need a new protocol? IPv6 will be dead by 2030. Hell, whatever internet we have by then will probably use genetic algorithms to evolve both layer2 and layer3 protocols in realtime to most effeciently carry traffic and interface with other protocols.

Different possibilities....

[fluffhead]

1. Linux and BSD gurus know this will all be easily spoofed. That plus multi-homing (multiple IP addresses on a single physical NIC) tends to mitigate fears.
2. Windozers and Mac-heads don't know or care about the nitty gritty. Just insert AOL disk here...
3. By the time IPv6 gets widely implemented on client machines we will all be part of the Borg collective anyway....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

Re:Different possibilities....

[fluffhead]

IT'S A JOKE!!!! Believe me, I am not trying to start a flamewar (did you read #3?). Just FYI, I used to work at Apple Tech Support, have supported NT/95/98 (gag), and am now a UNIX sysadmin (Solaris, SunOS, AIX, DG/UX, HP/UX, and Linux (yippee)). All this in the last 5 years. Generalized enough for ya? ;-) P.S. I did quote the Woz in my sig, didn't I?

Seriously, I know #2 is a sweeping generalization, but first Apple and then M$ have been marketed more and more to the "average" person who is not supposed to be intelligent enough to RTFM, much less want/need access to command lines or *gasp* source code. I couldn't be more thrilled if Macs all came with MacsBug and ResEdit pre-installed, hell even throw in MPW since its free nowadays; I know AppleScript is a good thing, but is often not enough. Same goes for windoze, if a REAL POSIX environment (a la Interix OpenNT, which M$ just bought out, I believe) and C compiler (e.g. Cygnus) were standard on NT, then it would be a lot less reviled by many. But Linux and BSD would still trump all by virtue of being truly OPEN and FREE.

#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

Re:Different possibilities....

[pjwhite]

Doesn't really seem to be a problem. I'm sure people with NICs will find ways around this, putting in dummy or random numbers. Many people don't even have a NIC -- how will those bits be assigned when someone uses PPP thru a modem?

Re:Different possibilities....

[Axe]

Year, and your gateway just stops working - it has to know your MAC in advance (did sysadmin ever ask you about it when hooking your to the network?)

Re:Different possibilities....

[horape]

Year, and your gateway just stops working - it has to know your MAC in advance (did sysadmin ever ask you about it when hooking your to the network?)
Nope, the EUI-64 part of the address isn't used for routing, but for autoconfiguration.

Re:Different possibilities....

[HeghmoH]

2. Windozers and Mac-heads don't know or care about the nitty gritty. Just insert AOL disk here...

You probably ought not to make such sweeping generalizations, lest this particular Mac-head start making sweeping generalizations going the other way. I both know and care about the nitty gritty.

Re:So what?

[orabidoo]

as has been pointed out, with most modern NICs, you *can* modifiy your MAC address. there isn't much point in it (replace one arbitrary number with another), but if you're paranoid enough you might want to automate the system to pick a new random one at every boot, or something like that.

Inefficient

[mindstrm]

Though I can see reasons why you would want to do this... and though I haven't really thought about it for more than 20 seconds, doing a direct correlation between MAC addresses and the actual IPv6 address (or at least the low-order end of it) would seem to defeat the purpose of having that many extra bits in the first place.
A company certainly doesn't neat 24 bits of address space just becauset hey have a few hundred machines.

So what?

[Overt+Coward]

A MAC address is no different in terms of privacy than an IP address. Either can be changed (though people with dynamic IP addresses change their IP address many times more often than they change MAC addresses, if ever). There is no central registry of MAC addresses.

All this does is tie a number that is meaningless to the rest of the world to your IP address. Your IP address already exposes you far more than your MAC address would. The only exception I can see off the top of my head are people who trust a proxy/firewall to protect their identities.

--

Re:So what?

[orabidoo]

it sounds like a major overkill effor to me. within an organization, even large, you can be confident enough that no two random 48-bit numbers will conflict.

Re:So what?

Simply tell NVRAM to use the MAC on the card instead. Sun has it on both, so if you have your multiple NICs on same subnet or against same switch no problems, just set a switch in the Boot Prom.

Re:So what?

[SoftwareJanitor]

The answer is that Sun violates the standards, and has a MAC address per machine rather than per card...

The answer is you are wrong. The NVRAM stores the MAC address for the built in Ethernet on SparcStations. If you have additional Ethernet interfaces (usually on SBus cards), they have their own MAC number that is settable seperately. People who have multiple Ethernet cards on Sparcs (which is not uncommon) in combination with certain other sorts of hardware, would have serious problems on their networks if this wasn't the case.

Re:So what?

[Tack]

s/physical/datalink/g

Re:So what?

[X]

Oh so true... Apologies.

Re:So what?

[jonathanclark]

I thought I read that MAC addresses are centrally dispatched (by who?) in large blocks to card producers. So they only thing you could probably do is determine what company makes the ethernet card at the other end. There is no way the card companies could trace a particular card to you unless you bought it directly from them.

However, since you can't really modify MACs, it could be as evidence in court to show who you are. With IPs this is a little harder to do because of the dial-up banks and ISPs are not required by law to keep logs (right?) The use of proxies shouldn't be any different from v4 to v6 because the proxy is not going to reveal your MAC, only it's.

Re:So what?

[Axe]

Redundant - no, you can not do that on the fly: your local network use it often.
My ISP (sort of a DSL, LAN over phone within aparment complex) checks for it - stops working if I swap a NIC. My office LAN gateway same way - there are reasons not to allow for easy MAC changing on a LAN.

Re:So what?

[SoftwareJanitor]

However, since you can't really modify MACs

Not on devices that ROM it... However, for example, Sun SparcStations (of which I own 3), hold their MAC address in a NVRAM (battery backed CMOS static RAM), which is quite readily modifyable (at least the last 32 bits or so of it is).

I am sure that SparcStations aren't the only networking devices where the MAC address is so easily changed. Even in cases where it is ROMed, there are ways to reprogram EPROMs or burn replacement PROMs for most types of components if they are suitably socketed.

Re:So what?

[toast0]

actually, you can modify MACs, some network card drivers for windows have the functionality built right in, and at least for my cheapo $10 ne2k i was able to make some quickie changes to ne.c and have a different MAC (cable modem service was tuned to the nic in my windows pc, and i wanted to have a linux firewall and the nic wouldnt' work in the fw box (was a pci nic, and the fw is pre pci)

i imagine if i was any good at kernel hacking i could make an extra parameter to ne.c that let me specify what MAC i want the card to have, rather than hardcoding it in the source.

(contact me if you want to know what i did where)

Re:So what?

[QuMa]

Actually, you can just give mac as a param for ifconfig.

Re:So what?

[toast0]

Ahh, i knew there was an easier way to do that

oh well, reinventing the wheel never hurt (too much)

Re:So what?

[Schnedt]

MAC addresses are supposed to be unique to each individual Ethernet card in the world. That is the reason for a central body who assign blocks of addresses. That also means that you in effect own the number on any NIC that you have in your posession. All those old 8-bit ISA etherlink cards have a number assigned to them that you can somewhat righteously recycle for your use if you're building ethernet hardware.

Recently on one of the Embedded programming newsgroups someone handed out blocks of NIC addresses to anybody who wanted some. Since it's a 'commodity' that is hard to come by, and I have plans in the future, I requested a block. What with IPV6 it now looks like maybe I OWN a block of IP addresses, when it goes into effect.

The reason for globally unique MAC addresses is so that hardware address conflicts are rendered impossible on any network anywhere. Reprogramming two NICs within a single institution (or household, or personal lab) is a rather foolish idea, and negates a numbering scheme that otherwise prevents address conflicts from occuring anywhere, at any time.

It better not be my numbers you've grabbed. heheh.

Re:So what?

[Bitscape]

Reprogramming two NICs within a single institution (or household, or personal lab) is a rather foolish idea

Generally, I would agree, but at my old college, it might have had a use. See, their dorm hubs were configured to record the MAC addresses of PC's which connected. Once your address was registered, it would lock you out if you connected using any hardware bearing a different address.

Unfortunately, that meant that swapping around PC's and parts between dorm-mates (a somewhat common practice among the geeks) was a no-no, as you had to go through a big beauracratic mess to get the ports reset. Setting NICs to the same address would fool the hubs and you could happily continue computing without problems (assuming you don't try to internetwork two PC's bearing the same address to each other by accident).

Re:So what?

[X]

There are, in fact, a lot of reasons why one would want to assign MAC addresses to cards, and to even assign duplicate MAC addresses to cards. In fact, the project I'm on has exactly this setup.

Most ring-topology networks have ways of resolving the dual-MAC address situation just fine. Also, using the term "hardware address conflicts" is misleading. Actually what you're having is a "physical layer" namespace conflict.... and depending on how the physical layer works, it may not be a conflict at all.

In fact, there is no need to have a globally unique address even at the physical layer. It's quite possible for the physical layer network to handly uniquely assigning local ID's through local elections. Globally unique physical ID's are not necessary.

Re:So what?

[Hedonistic+BOFH]

[root@hostname /]# ifconfig eth0 hw ether 00:00:70:00:00:01

There... you're NIC is identified as (If I recall the blocks correctly) the first network device cisco ever produced. Your MAC is as meaningless/meaningful as your IP. Just another convention to uniquely identify your computer to the network.

Re:Ummm

[mischief]

why was that offtopic? looks like I'm missing more than one thing today.

--

Possible reasons why people don't care

[toast0]

Modems don't have MAC(/ARP?) addresses anyhow

MAC addresses are easy to spoof (example, my cable modem service is tied to the MAC address for the pci nic in my win98 box, because thats what the set it up on, but my linux fw box doesn't have a pci slot, so i just made it think that its outside nic had the same MAC address as the pci nic, it works great.

They don't care because they don't know, this is probably the most likely one.

Re:I think we've all missed a detail.

[orabidoo]

we want more IPs than MAC addresses because we want to embed routing information in IPs. MACs are arbitrary, there's no way in hell you could route that, short of stuffing the whole list of a bazillion assigned MACs into every router and updating it hourly. sounds like fun :)

Re:Let me place your foot in your mouth

[PimpSmurf]

I appologise to all concerned.
I was in a state of drunken linux stupur.
still. arp only has to be compiled when ethernet networking is compiled in. I have removed arp from my kernel. used to remove icmp too.

Re:Not much reduced anonymity

[Shokwave]

You have a very good day of knowing who it it.
EVERY ISP logs connections with at LEAST username logged in at such and such a time ang got such and such an address, some even log the source phone number.

IPV6 specs have been around for a while and many people chatted about this issue, but it is NO different than IPv4, there will always be a way to track it back to source. If it is through a non logging proxy then you know laws will be put in place to say that the owner can be liable for some actions originating from his box unless he can prove it wasn't him. Which means logs

NIC MAC addresses

[TAiNiUM]

I have seem a number of ISPs that are already doing things similar to this. Off the top of my head the only one i can think of is the Canadian ISP bconnected.net. They assign NIC MAC address to the hostnames of their cable modem subscribers. so an IP of 209.53.*.* may resolve to the hostname 00-4c-ec-2b-2d-00.bconnected.net.


Luckily my ISP doesn't do this, I would immediately find a new provider.

It's all downhill from here

Re:NIC MAC addresses

[starslab]

Ah, the AC speaks out against anything that isn't done his way. You'll have to excuse me if I don't give a shit how you spamproof your email. Use whatever works, and don't slam other solutions because they work for other people.

Let me guess, you're also one of these rabid, foaming at the mouth Linux zealots?

"Binaries may die but source code lives forever"
-- Unknown

SkyHawk
Andrew Fremantle

Re:NIC MAC addresses

Well, my student dorm network assigns a hostname which is my STREET ADRESS!!!! The conversations on the Intranet forums tend to be very... eh... controlled, since anyone how knows your IP can literally throw a stone thru your window!

(But its ultra-god-fast and free, so who gives a shit :-)

Re:NIC MAC addresses

[Fastolfe]

Luckily my ISP doesn't do this, I would immediately find a new provider.

How is this in ANY way remotely different from the normal non-MAC-based static IP addresses providers assign?

The benefits on the other hand (immediate identification of an abusive customer by way of the MAC address included right there in the complaint) are obvious.

I fail to see in the least why this would be considered a privacy matter (over existing static-IP address systems).

Please explain.

Re:NIC MAC addresses

[mmontour]

00-4c-ec-2b-2d-00.bconnected.net

That's ADSL in Vancouver BC, not cable. The way it works is, when you get an address assigned by DHCP, their server sets up this MAC-based hostname mapped to your IP address. You are then supposed to log in to a special SSL web page with your userid and password. Once you do this, a static hostname (in the format "userid"."ISP".bconnected.net) is assigned to your IP address. So, when the system is operating properly, the MAC-based hostname will not be exported to the world at large.

Happily, one provider is now offering static IP addresses with ADSL, so in a few weeks I will be able to ditch their kludged DHCP system. Yay!

Re:NIC MAC addresses

Hey starslab@yahoo.com, that's what the ".invalid" TLD is for. Idiot.

Re:NIC MAC addresses

[starslab]

I'm one of those subscribers, and they're not Cable. They're ADSL, provided by the local incumbent, BCT.Telus. As soon as I catch wind of some kind of repository of Ethernet addresses, maybe i'll be upset. In the meantime, someone can tell my NT box is using a 3Com ethernet card, they MIGHT even be able to tell it's using an ISA 3c509b ethernet card.

BFD.

They can tell my FreeBSD box is using a crummy NE/2000 clone. Probably not even that much, probably just that my card comes from a crummy manufacturer who only makes crummy NE/2000 compat ethernet cards :). Again.

BFD.

"Binaries may die but source code lives forever"
-- Unknown

SkyHawk
Andrew Fremantle

MAC?

[sklib]

I don't need to worry about this MAC thing, right? I have a PC instead :)
Tee Hee

Why hasn't this been a big deal?

[pridkett]

The reason why this hasn't been that huge of a deal yet is because most people don't always view that as information as part of the address, or because most people didn't know.

I, for one, don't see how such information is going to help route packets that much. Other than allowing EVERY ETHERNIC ON EARTH TO BE ON THE SAME SUBNET. Do we really need this? There really isn't a purpose to that.

Secondly, people only get really angry when they see something in use. Like the P3 security thing people knew about beforehand but didn't get pissed about till afterwards. Same thing with the win98 big brother thing.

Of course we could all take the view of Scott McNealy and just realize we have no privacy. I can take your names or email addresses and go buy tons of information from experian for 10 cents a head. I'd probably be more worried about that.

Besides, just get multiple nics then. You could easily just do something with the one nic, go buy a new one and voila, your info has changed and you can deny you ever had the old one.

Re:Why hasn't this been a big deal?

[horape]

I, for one, don't see how such information is going to help route packets that much. Other
than allowing EVERY ETHERNIC ON EARTH TO BE ON THE SAME SUBNET. Do we really need this?


It doesn't help routing. It helps autoconfiguration
(prevents ip colissions)

Re:this guy obviously has a huge chip on his shoul

[mpe]

But yeah, I have noticed some very large ranges allocated to companies that can never possibly use them.

Or who have the vast majority of their network on RFC 1918 addresses (or may as well be using these.)

Re:What's the problem?

[Cantor]

Agreed. Privacy is a good thing, but I haven't read a single comment which were reasonably justified.

Telephone services are traceable, and there are many services in the field. I may be cynical, but why I feel like people consider this a bad thing because after that it's easier to track if they visit porn sites on the web and how often..

Re:This is kinda quiet...

Yeah, and who needs more than 640K Ram anyway? Just because we can't see it today doesn't mean that it won't happen. A 128-bit IP address feels pretty damn future proof in my imagination. A 256 bit TTL on the other hand is conceivably limiting.

Theres nothing wrong with it

[rips]

Sometimes I wonder about the level of hysteria that the slashdot community raises over issues like this.

I agree privacy must be protected but that is why IPv6 has end-to-end encryption and connection authentication built in to prevent spoofing and eaves dropping.

As stated by someone earlier, the reason IPv6 was developed in the first place was to address a address space problem. They have basically blown the problem away by using 128-bit addresses and in the process, greatly simplified network configuration by allowing network cards to be routed automatically.

The major issues I have with privacy over the internet are to do with data integrity and eaves dropping, not to do with identity. With conventional IPv4 addresses you can be traced back to at the very least the local network you came from. A unique number such as this isn't a means to track everybody, its a means to simplify routing configuration. For dialup lines I would imagine this address space would contain some other number making it just the same as tracking down a particular user as it is today.

The IETF is doing a great job and has put much more thought into this than most (probabily all) of you have and they deserve some credit, not the blatent disaproval that slashdotters tend to be giving in increasingly larger doses.

Re:Theres nothing wrong with it

I'll agree that a published MAC is no more dangerous than a static IP, but that in itself is pretty awful.

Re:A card for all seasons. Was-Oh, the horror!

I can just picture it now. Your sitting there with 3 NICs on your box that you switch between every few hours just keep from being identified online. Sure, it could work. I think I'll just get a portmaster and load it up with NICs and run some sort of a splitter so that it automatically switches NICs every couple minutes or so. Hey, it might work. Yes no?

Running out of MACs?

[sklib]

Will this raise a problem of us running out of MAC space? I'd hate to think so. After all, aren't we going after more address space than we can ever possibly use?
Besides, if we have a limited number of MACs then it appears that the number of autoconfigurable devices is limited to the number of MACs. That's pretty weird, I'm not sure what's going on. Can somebody inform me?

Re:this guy obviously has a huge chip on his shoul

[nowan]

Hrm. I assumed this was similar to the notation that (e.g.) nmap uses. In which case it's the number of bits in the network portion. So /8 is class A, /16 is class B, etc. So the larger the number, the smaller the block.

I know why no one cares

[Peyna]

Static IPs for all. That's why. I guess some people are willing to sacrifice privacy for a static IP address, personally, it'd take a little more for me, maybe a T1 to the Internet, and a class A subnetted to alot of class Cs all registered under different names and address, but have my dhcp give me any address on the class A, then they'd never find me. =] Privacy here is a big issue though, this really doesn't seem to be much different from the whole Pentium III issue, except this would be accessible by *anyone*

I think he missed the point because.....

[lakdjfalkdj]

Well with IPv6 and the amount of IP addresses you can assign I think it will eventually end up being something similar to phone numbers. You got more than 1 PC in the home? It'll be the same as having more than one phone line at home or something similar. Your IP address will be no more private than your phone number is and there for your MAC address being private will be pointless. I think your IP address will pretty much become your home address/phone number all rolled into one. You'd figure everyone will eventually have one. Since you'll probably have everything coming into your home on one phone line or satellite or whatever. In the future it'll probably become almost impossible to be anonymous on the Internet. I'm sure you could probably do your spoofing or some sort to be "anonymous" but to get anything done in the future I believe you wont be able to get by not giving this information out. Everyone will have some sort of domain name or the like, which will point to your IP addresses. This is obviously speculation, of course, but with xDSL and cable modems assigning us static IP addresses you could almost assume it will become pretty much standard when IPv6 becomes common use.

IPv6 Improves Security

What are you complaining about? IPSec means that not only will other computers be able to authenticate your IP address, but that you will be able to negotiate a secure tunnel over the Internet, thereby encrypting all your traffic at the network layer. IPSec also contains many desirable features that help defeat basic cracking attacks (anti-replay, etc). IPSec can be retrofitted to IPv4, but it was come up with when the committee was designing security for IPv6. The only people who wouldn't want this sort of security (and privacy) are miserable crackers who won't be able to hide their tracks (so easily).

Lions and tigers and MACs oh my!

[jxxx]

To heap the criticism on a bit more, First, the information included would be redundant if the scheme is as he says. Your ethernet address already contains the maker of the device. Second, going a step beyond buying a new NIC, some ethernet interfaces allow their address to be changed dynamically. DECnet does this. It smashes the top 24 bits if I recall correctly, making them 00:00:00

Re:Let me place your foot in your mouth

[dirty]

Uhm...Unless I don't remember TCP/IP correctly w/o ICMP you can't open any TCP connection.

What is privacy?

[panda]

I know I'm jumping into this a bit late, but this topic raises another question that probably merits a much more detailed and longer response than someone could give you in this forum.

I've given some thought to the issues surrounding encrypiton, anonymity and total, open disclosure on the Internet. There doesn't appear to be any clearcut answer regarding any of them. There are times when anonymity is an unmitigated good thing: dissidents in a repressive state sending out information about government atrocities who fear reprisals. There are times when anonymity is a problem: anonymous spam for instance, or the Anonymous Cowards here on Slashdot. :-)

Encryption can be a blessing (protecting your confidential information) and a curse (what was that key again?). I don't even want to address the issues of law enforcement and crime and encryption because that's too thorny for a few short words. Although, the guy who just forgot his private key and can't decrypt the e-mail telling him where to meet his contact for the rendez-vous is going to wish that he had some trusted third party for key escrow.

Privacy? That's a big question and it all comes down to what you consider private and what you consider public, and there are probably 6 billion different answers to those questions. Do you really want people to be able to post absolutely anything that they want in total anonymity, or do you want people to have some level of responsibility for what they say in a public forum? The answers are not always as obvious as you might think.

Personally, I don't care if someone could actually trace all the packets back to my machine. I don't care if they see that I was looking at porno on my home machine at 1:00 A.M. this morning. (Actually, I wasn't. If you did check what was coming into my machine at 1:00 A.M. this morning, you'd find source code for MkLinux streaming in over a remote cvs session.) I'm not doing anything that I would be embarrassed for people to know or that could get me in legal trouble. When I need confidentiality, I use encryption. The Internet and its underlying protocols as currently consituted and as described in IPv6 are inherently open and insecure. You'd be a real fool to do anything on the 'net that you wouldn't do in a public cafe in your home town without some kind of encryption.

What do I consider an intrusion on my privacy? When I get annoying e-mail spam, or worse, phone spam. E-mail spam, I can just delete it, but phone spam generally eats up a good five minutes of my time while I listen to the initial spiel and then say "No, I make it a rule to never accept unsolicited phone offers, and by the way, remove this number from your list."

Hmm, well, I've rambled on for long enough. Perhaps, one rainy Saturday when I've got nothing better to do, I'll dig out some on the subject of online privacy and privacy in general, and write up a little piece for the features section on just what privacy is, and how I think it ought to work on public networks.

I think we've all missed a detail.

[cdlu]

Why on earth do we need more ips then there are mac addresses? isn't that just plain stupid?
If every mac address is unique, then why not just roll the hex numbers in your mac addresses over to decimal and call that your ip? We simply can't have more IPs then mac addresses, or am I totally wrong?

Re:I think we've all missed a detail.

[Xtacy]

um i don't think dialup users have MAC addresses?

Re:I think we've all missed a detail.

If your MAC address was used as your IP address, it would be a routing nightmare.

Re:I think we've all missed a detail.

[ppanon]

Well, the AC reply got moderated down but it is actually correct. Part of the reason for the first half of the IP V6 address is to simplify routing tables in the backbone routers. I believe the first part can effectively be used as a network number and can be used to provide route aggregation mechanisms.

Also, MAC addresses are unique for a particular medium (i.e. Ethernet). I'm not sure if that's guaranteed across different mediums, i.e. Ethernet vs. Token Ring vs. FDDI (even though you can do layer 2 bridging between these mediums). I haven't looked into what's used as a MAC address equivalent in the various IP over ATM implementations or Cellular IP services, but, if they are a 64-bit value, I doubt that they are guaranteed to not conflict with Ethernet MAC addresses. So yes, you could easily have more IPs than ETHERNET MAC adresses.

Re:I think we've all missed a detail.

Having lots of IPs is really useful for routing. It means that you can assign a block of addresses to a particular group of machines that are close in the network topology (for example a campus, or an ISP).

If all of the addresses in the block share a common prefix, that "aggregate" prefix can be used to set a route to that network. That means that a backbone router's routing table requires one entry per block of IPs, instead of one entry per machine. That's good because it makes for smaller routing tables and fewer routing updates propagated across the entire network.

Since you want a group to have a set of addresses with a common prefix, and you can't predict in advance exactly how many addresses to assign to any given group, you should always give them more than they need so that they have room to expand.

This kind of aggregation is what made routing across the internet feasible (in IPv4), and is also the reason for wanting a larger address space in IPv6.

Re:Not nightmare - or security hole (for linux use

[Plasmic]

If your MAC address was used as your IP address, it would be a routing nightmare.

This statement is absolutely correct. You assume that he's speaking of IPv6, where your MAC address is part of your IP address. What this person is saying is that routing would be a nightmare if the ONLY identification for your computer on a wide-area network was its MAC address (and nothing else). Border routers' routing tables would be just a bit too large, I think.

Crackers Hackers and slackjawed reactionaries

Hacker has had long use for a specific subset of geek - the 'push the envelope past the edge and see how far it stretches' variety.

The crackers whose 'good name' you are trying to maintain are as guilty of computer fraud (1) as the ones for whom you are trying to invent a new name (2). As things currently stand, the hacker/cracker distinction is at least beginning to make inroads with the mainstream media.

SDSFracture (on the road without my password...)

(1) Cracking shareware (3) (at all) or removing copy protection for purposes of distributing the software, obviously. Time expenditures to crack shareware could probably be used to make enough money doing actual productive work to both pay for the shareware and snag some nifties (insert amusement of choice here).

(2) There is another name for these people already. Two of them in fact. Neither get much use because they're more than 1.5 syllables. Computer vandals and computer trespassers.

(3) I consider the use of a crack after you pull a stupid and manage to lose all of a> the filesystem that you installed the registered software on, b> the printed copy of the reg info, c> the electronic copy of the reg info, and d> the backup of the email you got the reg info in a separate issue entirely (personal experience? nah.... couldn't be)

Re:Crackers Hackers and slackjawed reactionaries

[Ferzerp]

I never said it was a "good name." So what if a group sucks. It still deserves a marginal amount of niceness. Everything does.

Re:this guy obviously has a huge chip on his shoul

[dennisp]

Actually that's false. @home has a /12 in that range. Roadrunner has two /13's. Contintental Cablevision has 4 /16's. A bunch of other cable providers have some smaller ranges. RipeNIC has a /13 as well.

But yeah, I have noticed some very large ranges allocated to companies that can never possibly use them. example: Ford with 136.1.0.0 - 136.140.0.0.
----------

Its not that bad

Depending on your ethernet card, your MAC can be changed. Yes, it is built into hardware, and yes you can software override it on most cards.

Some cards don't allow you to change the manufacturer id, but still, if you change your handware address regularly the most people will be able to track you on is your eth brand name -- use 3COM and you won't stand out. :)

There was an issue with this and Compaqs -- we LANed together some of their PCs, and networking didn't work. They all had the same MAC! :p

-Shaka

Re:Its not that bad

[PTrumpet]

Just to set the record straight about what is reality from someone who has written an IPv6 stack. (Trumpet Winsock 5.0)

Firstly, IPv6 can actually aid your privacy in that it is now technically possible for you to *choose* your IP address provided you reset the globally unique bit, and use the duplicate address detection mechanism to make sure your traffic will work. The only time duplicates become a problem is when the same address exists in the scope of the network where it matters. i.e. your subnet for an ethernet connection, or the PPP link when you are using dialup.

It would be technically possibly for you to dynamically change the lower 64 bits of your IPv6 address during the life of your connection to the internet be that ethernet or PPP. There is one proviso in that it is not currently feasible to modify your address for active TCP/UDP connections, so you would need to close all active connections to lose all trace of your older address.

Given the active discussion that this topic has generated, I am now keen to add a feature to our stack which would build a random EIU64 address each time the interface is opened. This feature is already in place for PPP connections, and I could also add a button which would force a new address to be built on all interfaces. Of course to pick up the new address, all connections would need to be broken, but it would be a simple matter for the stack to continue using both addresses until the original address is fully deprecated. IPv6 is powerful enough to use as many addresses as you like from your internet node. That is the beauty of stateless autoconfiguration and neighbor discovery.

I suggest that slashdotters go and read the relevant RFCs *and* Internet Drafts in some detail, and they will realize how powerful IPv6 is and how it will solve many of the issues facing the immediate future of the Internet.

A good place to start is

http://playground.sun.com/pu b/ipng/html/ipng-main.html

MACs are not static

[Tincan]

My company's version of UNIX allows you to change
your MAC through software in a configuration file. I've done it and it actually works. All anyone could do is find out what kind of card you have (by manufacturer). The thing about MACs is that they are more flexible than IPs. If you change your IP to be something completely off the wall, you won't be talking on the network effectively. You can change your MAC to be whatever the heck you want and it won't change how you communicate with other boxes.

An aside

[Joe_NoOne]

Is it me or are journalists pretty heavy with the thesaurus? I mean why must all articles be written like a novel, instead like a news article? I mean paragraphs like :

It's a conundrum that makes one wonder about the motives of the reigning Internet digerati, who spend much of their time assuring us that they are protecting our interests as they quietly arrogate power in the new world order.

that make me stop reading news. Digerati? Arrogate? Conundrum? Who, other then journalism majors (and by extension PHB's) uses these words? I want plain news. If I want lots of pretty words I would pick up a paper-back novel.

After the multitude of manuals I have to pour over daily in my job, I want to be able to read a quick, concise news article and find out what's going on - not read the ramblings of frustrated novelists who's day job is journalism...

Why there's no uproar...

[jimhill]

Most people have no clue how the net runs. Most people couldn't distinguish an IP address from an IBC root beer -- and that's probably not a bad thing. Thanks to DNS, though, people think that as long as the alphabet holds out we'll be OK. After all, if we can point a browser at www.meatiebeatiebigandbouncythealbum.com and pull up a web page, everything must be OK, right? Right?

Since when can you not change your mac?

[BitS]

I'm amazed I haven't seen it posted but... welcome to reality, its rather simple to change mac addresses on an ethernet card. Vendors learned along time ago they run out of those 48 bit addresses over time... you MAY have to cards with the same MAC on the same lan, and it can be changed. There are cards that allow it, and cards that don't... show me a 3com card that you can't change the mac address on... I don't think you can.

Re:This is kinda quiet...

Also, in the VERY unlikely case that you need a larger TTL than this, you can more easily work around this. For instance, change routers to probabilistically decrementing the TTL only one quarter of the time.

Re:WTF?

[sirket]

As any Unix admin here knows you can change your mac address any time you want to. Simply choose a locally unique number and then who cares?

-sirket

Don't get your panties in an uproar!

[tangent24]

Yes it is the intention of IPv6 to use the MAC address as part of the address, but this is only one possibility and is not part of the standard. With the vaste address space there are also many other possibilies, such as just doing something similar to DHCP or in most cases choosing some random number wouldn't get you into trouble on most networks. (Ever try this on an IPv4 subnet, they get upset)
The devil is in the implementation and I would hope these choices would be built into all of the new TCP/IP stacks.

And Yes sometimes it is useful to have people believe they know who you are.

IPv6's use of MAC addresses isn't what you think..

[prevost]

The way IPv6 uses MAC addresses isn't actually what people seem to think it is. IPv6 *allows* MAC addresses to be used for a quick-n-dirty link-level IPv6 address. This allows a machine to use BOOTP and DHCP like services via IP, with a real IP address even from the start. Once DHCP or BOOTP or the like has provided a normal IPv6 address to the machine, life goes on as normal.

The whole purpose of the system is to allow configuration protocols to use IP, even when machines haven't yet been assigned an IP address.

Not nightmare - or security hole (for linux users)

[Ungrounded+Lightning]

If your MAC address was used as your IP address, it would be a routing nightmare.

Not really. The routers will no doubt just be ignoring the lower bytes (like current netmasks) - and by the time it gets to your gateway they'll still be ignoring the part with the "MAC address".

In fact, it should be trivial to hack a linux IPv6 stack so every TCP connection gets a unique bogus MAC address. Then the snoopers can just whistle for their info, while the IPv6 cookie-replacers can watch their databases expand without limit. B-)

With significantly more work you could stretch the API to let the client program specify the fake MAC address it wants to present, so your browser could maintain an identity to use when you REALLY wanted to accept an un-cookie.

Re:Spammers' delight

[DeadFish]

Huh?

An IP doesn't necessarily have an email address associated to it; nor does a MAC address. It's meaningless to 'convert ips to email addresses'. The *only* way that is at all meaningful is when fighting spam, reading email headers, finding out the IP from whence the message originated, and the time it was sent. Then an ISP can check their authentication logs to determine who was using what IP when. But, a lot of IPs and MAC addresses have no email address or login associated to 'em.

They're *machine* addresses, not user addresses. A machine can have an arbitrary number of email addresses on it, including zero. An ip-to-email converter is a: meaningless and/or b: (as in the scenario you put forth of webmasters determining email addresses from IPs in httpd logs) require individual ISPs to give up their personal logs to benefit spammers. Something ISPs don't have much interest in doing, since such a practice would surely get a provider blacklisted.

Re:Half of the MAC is assigned by an authority

IPs are only dynamically assigned if your ISP doesn't have enough for all their customers, and obviously this Frezza idiot thinks that doesn't happen.

Re:Other concerns

[Tau+Zero]

They can already do that with your IP4 address!

Only if you have a static IP. If you have a dynamic IP, your data gets anonymized by mixing with the data from everyone else who eventually gets assigned that IP; over time, this could be everyone from your ISP.

If your machine's MAC address is attached to every packet, that follows you regardless of routing information or even your ISP. This is truly in a different league.
--
Deja Moo: The feeling that

Re:On the other hand...

[sklib]

If somebody was enough of a crypto-buff to be able to post a threatening algorithm in a public forum, they would not do it from their own computer. They would instead go to the nearest university library's top floor, find a computer in a dark corner, put in a disk and paste paste paste. Works like magic, total anonymity (except for, say, if you live within a 20 minute drive... But in any large city, that's a crapload of people). And if you wear gloves, they won't be able to fingerprint you.

Re:Huh?

Good to see that some people understand IPV6. This Link Local address in a very cool feature and really only changes the way that things like DHCP and ARP work makeing IPv6 much cleaner. If only the rest of the world would start working with IP v6 they would see how cool it is.

Re:Let me place your foot in your mouth

[infojack]

Ya... mabey if you weren't connected with a modem you'd see something. Its imposible to do anything without arp.

ipv6 fact or fiction???

[sykt]

isn't everyone jumping the gun a little here and assuming that IPv6 will actually happen?

Changing your MAC address under Linux

[MenTaLguY]

You can give a MAC address as a parameter to ifconfig(8).

Linux should allow you to change your MAC address even if your NIC was not designed to allow it.

On cards that don't support changing the address, Linux puts the card in promiscuous mode, drops incoming frames not addressed to the particular MAC, and spoofs the MAC on outgoing frames. Quite a neat solution.

Berlin-- http://www.berlin-consortium.org

Re:I'll give you $10 million if you can find me!

The fact that the info's pretty close to useless most of the time isn't the point. I can do exactly as much with that MAC address as I could with the serial number from a PIII. Since most people don't seem to know much about either (including me: I'm just guessing that they have about the same implications for privacy), the question is, why did the one cause an uproar and not the other?

Which is a pretty good question, even if the article does seem to have a large axe to grind.

Re:Other concerns

[JBettis]

Machines don't have MAC addresses, ethernet cards do. If you are using dialup then you don't have a MAC address. And if you are using NAT (less likely with IPv6 than IPv4) all the remote site will see is the address of the firewall/router anyway.

Re:Other concerns

They can already do that with your IP4 address! In connection-oriented protocols, your machine must be identifiable for replies to reach you, so anonymity simply isn't possible without (a set of) proxies you trust.

That doesn't make it meaningless!

[FallLine]

I never said they had to. The card manufacturer knows that it shipped 200 NICs to store A, and their corresponding MAC addresses. The FBI then approaches the store. And asks for a list of all sales of that particular NIC type at store A. This produces a list of 200 names (mostly credit cards). This list is then cross-referenced for possible candidates (eg: known crypto-buffs). It isn't that improbable. Cross-referencing is common practice.


Perhaps, there are other avenues by which the FBI could pursue you. But the risks should be known. Futhermore, I don't believe my scenario to be all that farfetched. There have been enough similar cases and parallels that the creation of such a case is almost inevitable.

Some people have said that the FBI could just ask the ISP to reveal it. But if this ISP is an "anonymous" one... For a premium, let us imagine, they randomly assign ip addresses. And they keep no logs of which users were assigned which ip numbers at which date. If the user pool was large enough, it would be difficult to eliminate many people. Or if perhaps, payment as well was arranged in cash.... It might very well be more practical for the FBI to take the NIC route.

Re:That doesn't make it meaningless!

[Fastolfe]

How is this any different from static IP's assigned by DSL and cable modem services? All the FBI needs to do in the least is go to your ISP and say, "We'd like to know who this person is."

It's FAR easier to track somebody today using existing static IP addresses than it would be if some vendors took the *recommendation* that MAC addresses be used as link identifiers for ethernet-based links in IPv6 addresses.

Regarding your assertion that ISP's can be "anonymous" in this nature, this would be difficult in the US. They'd be doing so with the intent of keeping evidence from lawful organizations. It is also in any ISP's best interest to keep logs. If an attack is launched from one of your anonymous ISP's dynamic addresses and the ISP cannot show that it was, the ISP is in a bit of trouble.

Not good business.

MAC Address can't be the basis of routable subnets

[neonman]

Haven't Slashdot readers discovered the technical inacuracy in this claim?. IP is a protocol designed from the ground up for it's ability to be routed to certain subnets. A machine on one subnet can communicate with a machine on another subnet simply by knowing only the route to the gateway of another subnet. I find it technically impossible to assign IPv6 addresses on a basis of ethernet addresses. While a machine's IP address is dependent on the subnet to which it is connected to, MAC addresses are unique to the machine itself.

Re:how is that different from a static IP?

Because the IP can be shielded via Anonymizer, a nym server, etc. I might be doing that, not even realizing my MAC is being transmitted.

Re:Let me place your foot in your mouth

[PimpSmurf]

who could networking back then?
or a modulator/demodulator for that matter

Re:What a plonker!

What Microsoft does is much worse, essentially tattooing your mac address onto every file you create for all of eternity, and keeping a database of those addresses when you register your software

Not if you use their model properly (at least for Word docs). The .DOC format is *not* the standard, RTF is.

Re:Ignorance of IPv6 is amazing!

Right on.... It is amazing how many slashdot readers apparently know nothing at all about routed protocols..

Re:No outrage? Because the people aren't uninforme

[neonman]

Exactlly... Rather disturbing how slashdot has sold out to these sorts of readers who show absolutely know knowledge of routable protocols. I haven't even seen efforts to verify the other questionable claims that the author of that article made. While I haven't had the time to read the RFC as of this point, I can see that it isn't probable that a lot of what he says is actually true.

Re:Oh, the horror!

[eggnet]

You don't have to use the Mac address to have an IPv6 address. For servers, you'd just use a static ip. Heck, many machines don't even have a MAC address.

Oops...

[Dwonis]

Looks like the poster forgot to close a tag. Glad that hasn't happened to me (yet?).
--------
"I already have all the latest software."

"Change IPv4 address any time" :-)

[cygnusXone]

As others have pointed out, there quite a lot of rubbish in this article: it insinuates that there isn't really a problem with running out of IPv4 addresses, makes the bizzare comment that one can just change one's IPv4 address at random (what does the author think the point of having an address is, I wonder ?), and so forth.

A little difficult to see where the author is coming from: there's the sort of "Washington Spook"/Defense Department alarmism that you often hear in the privacy debate; but he also gets into everyone, Microsoft and Intel, the EFF, the ITEF etc. Who's barrow is he pushing ?

Read The RFCs

[jochen]

Using the network card MAC address as part of the IPv6 address is only one way of setting up the global IPv6 addresses (it's unmanaged autoconfiguration used by rtadvd). Alternatives are manual configuration or using DHCP with IPv6 extension.

-- Jochen

That is not my point.

[FallLine]

Sure, in most every case the FBI can merely approach the ISP. But most everyone understands this risk. My point is that there IS a way using MAC addresses to trace someone -- not that it is necessarily an all important issue. You should atleast analyze the risks. While you may not agree that it is an excessive risk (not that I do), it is real.

I wouldn't be the least bit suprised if anonymous ISPs start popping up. There is no law which says you must keep logs, ...atleast not yet. While not keeping logs may cause the ISP in question to encounter the wrath of various parties, it is not neccesarily stupid from a business stand point. Clear abuse issues (eg: SYN floods, ICMP attacks, port scanning, etc) can be audited internally. As long as they could curb ongoing abusive behavior, it is not such an issue. If a company is able to charge twice as much for such a service, it could be a huge boon (huge profit margins, compared to the relatively narrow ones of most ISPs today) The reasons for anonymomity isn't necessarily to evade law enforcement. As long as there is a sufficient legitimate reason, it would be hard for the government to stop the company.

When the FBI asks to sniff/tap for a certain user (or a specific act), then it might present a problem. The FBI probably would not be allowed to tap EVERYONEs traffic. However, there was a case a couple years ago of a hacker in Brazil (I think), who hacked Harvard and a couple other places. They caught him by setting up some kind of 'intelligent' program that recognized and filtered his keystroke/traffic from everyone elses on a router, or backbone, or something to that effect. However, I'm referring more to actions in the past tense. eg: not ongoing traffic. Which would be immune to sniffing.

Re:That is not my point.

[Fastolfe]

Clear abuse issues (eg: SYN floods, ICMP attacks, port scanning, etc) can be audited internally.

This would require an internal audit trail. Destroying this trail in response to a subpoena would be illegal. In order to survive, any "anonymous" ISP MUST do some sort of logging and auditing. Think of this scenario:

• ScriptKiddie signs up to AnonISP, begins smurfing FBI.gov.
  
• While smurfs are on-going (ScriptKiddie still connected), FBI knocks on AnonISP's door and asks for all information about the person doing the smurfing.

AnonISP, having connection details available to them (even without logs), would be obligated to turn over that information.

• ScriptKiddie smurfs CorpX.com.
  
• CorpX.com complains, AnonISP cancels ScriptKiddie's account ("And don't come back!")
  
• ScriptKiddie signs up again as PaketKiddie (you have no logs with which to prove he is the same person)
  
• PaketKiddie smurfs CorpX.com.
  
• CorpX.com instructs uplinks to block all traffic from AnonISP.
  
• (repeat)
  
• AnonISP, now blocked from the majority of conscientous ISP's, turns into a packet kiddie playground and goes out of business.

Comments?

Re:That is not my point.

[Fastolfe]

However, there was a case a couple years ago of a hacker in Brazil (I think), who hacked Harvard and a couple other places. They caught him by setting up some kind of 'intelligent' program that recognized and filtered his keystroke/traffic from everyone elses on a router, or backbone, or something to that effect.

This was done with Harvard's (obvious) consent. As it would then be a privately owned network (not given "common carrier" status awarded to our lovely telephone networks), it would not be considered to be any form of privacy invasion (legally).

You're only awarded protections against unauthorized searches/wiretaps when it comes to public networks. Your ISP/private university can choose to let the FBI see whatever they want. (At least that's how I understand things.)

Re:That is not my point.

[FallLine]

....it may require a partial audit trail. However, this doesn't mean that standard TCP connections would be included. My point is that an ISP could be setup to not allow the FBI to trace past communications to a specific user. I'm not really concerned about script kiddies here.

However, to protect themselves from the uplink denying them service, they could filter out common DOS attacks. eg: ICMP, UDP, SYN-floods, etc. The ISP could detect such attacks in a rather small window (eg: 60 minutes or less), rather than large windows. (days, months,and years.) And respond before outside sources get that involved. Also many uplinks and providers aren't all that responsive to begin with. It takes a great deal of complaints with many of them before they even contact the ISP in question. (take @home for example, with all the wingates and abuses originating from them). There are plenty of examples of providers (eg: internet cafes, libraries, schools, anonymous internet proxies, etc) that can't accurately finger the responsible party. You're assuming the uplink and provider treshhold for abuse is too low and script kiddy activity would be too great; I don't. High fees alone would keep many script kiddies away(especially since most of them get away with it -- until the 'big' bust atleast) With a little bit of carefull planning and administration, I believe it could be done. Hell, such an ISP might even get fewer complaints than most of these large unwieldy national ISPs.

There might also be certain cryptographic techniques which they could employ to protect privacy, but still monitor potential abusive activities and validate accusations.

Why?

[BradyB]

I'm thinking people aren't raising a stink about this is because they are just tired of fighting the losing rights online battle. Which shouldn't be done I must say. It seems that no matter how much uprising happens from an online privacy issue, the issue continues to persist. That is by no means a reason to stop caring. That just may be the reason that they are not caring as much. How will this affect people who don't have NICs. Modem users are assigned an IP, or will it just be the NIC thats on the computer connected to the net with a nic that the modem user is connected i.e. and ISP?

how is that different from a static IP?

Ip's can be traced back to the machine as well, so i dont see what's the big deal... -Jagga Dakku

Re:how is that different from a static IP?

It's a big deal because it sells. Might be a bit blunt but I think it is true. I mean as soon as there is some connection from here to there, there will be always a way to trace it back.

Sure, one can make it harder but technology makes advances too and at the end of the day it comes down to total privacy on the Net does not exist.

Personally I doubt it exists anyway as all kinds of companies have a profile of their customers nowadays already. Once someone bumped into my car. It took me 5 minutes to get the name, address and phone number and about another 5 minutes to know where she worked then, when it happened and why she went there every Thursday.

Think what is or could be an issue to you, isolate that and do something about it.

Maybe the media is picking it up

[cbull]

This article appeared on the front page of the Columbus, OH newspaper this morning.

The article raises some interesting points. While I think the general privacy concerns are overblown, I'm glad people are at least considering it.

Oh, the horror!

[Mr.+Slippery]

Shock! Dismay! Embedded in my network address is...well, my network address. Duh.

I'm no more worried about my MAC address being in a network packet than my IPv4 address. Heck, I could change my MAC address easier than changing my IP - I sure can't change the IP of my PowerMac at the office, and changing my static IP at home would entail pleading to my ISP, but Ethernet cards are cheap.

The author needs a clue.

Re:Oh, the horror!

[Cuthalion]

I'm unsure as to how name resolution would work then. Since now your IP address changes when your NIC catches fire and needs to be replaced.. That sounds inconvenient at best, unless this can be easily circumvented. (ie, they recommend that your IP address contain you MAC address, but it doesn't have to.)

Say you're running a big server, I dunno, eBay. You have a hardware failure, but you have a back-up system sitting there waiting, to minimize downtime in just such an event. Now when you swap it in you either have to lie about your MAC address (which is good) or update your name tables and wait for that to propogate, which is bad.

Re:Oh, the horror!

>Say you're running a big server, I dunno, eBay. You have a hardware failure,

Since the mission critical parts of eBay run on Sun hardware this isn't a promblem.

The RFCs allow for either the host or the individual NIC to allocate the MAC address Since Sun takes the host approach (unless you do something dileberate to change it) then a broken NIC won't cause you any problem (since all NICs have the same address which is based on the hostid which is held in NVRAM.

Okay so what if the NVRAM battery fails and you get a new one ? You did keep a copy of your hostid written down somewhere didn't you ? If you have a service contract with Sun and are a big customer chances are you have sent them the data at sometime and they would be able to tell you what it is.

I'll give you $10 million if you can find me!

Heres the MAC address of my NIC: 00-E0-29-2B-A1-0B and this ones from my ISDN adapter: 44-45-53-54-00-00 Oh no! My privacy has just been raped what ever will I do? I'm sure thousands of ppl will be on my doorstep tomorrow claiming the $10 million prize. NOT! Heres the deal. In the article he says every packet we send out using IPv6 will have our "fingerprints" on it. Well it seems to me that in order for a fingerprint to do a damn bit of good at revealing someones identity there needs to be a database with everyones fingerprints and identities stored in it. I dont remember NECX Direct putting my name and MAC address in a huge database when I ordered my NIC a year ago. In fact I remember the box my NIC came in was still sealed when it arrived. Theres just no way to tie me to my MAC address short of coming to my computer and looking it up manually and if I did something wrong and they know to check me out then chances are I'm already screwed and theres not must difference a MAC address is going to make. Just my 2 cents worth.

Spammers' delight

[RobotWisdom]

And imagine what webmasters will pay for a database that converts your shiny new IP number into an email address they can spam, as soon as they see you visiting their site...

(I've been asking about this since last December, actually.)

Re:Spammers' delight

As if I'm not the only one at my current IP? How exactly are they going to get an emailIP database? Surely they could do that now.

How is this any different from...

How is this any different from IPv4 ip adresses and MAC numbers.

This is kinda quiet...

Well..i guess usual /. histeria didn't kick in
yet. Everyone is probably busy trying to get their
money for Cyberwar articles or whatever the hell
it was?:)
On one hand the threat is somewhat exagerrated:
a) Dial-up machines have no NIC addresses and
(even though i am too lazy to look at IPv6 address
assignment mechanisms) i would presume these
will have to stay dynamic just by simple logic.

b) NIC addresses of the cards are easily changed
nowadays so you can go ahead and alter it all
day long.

c) Even today someone not using dialup is fairly
easy to find since networks are given to certain
entities and they all have some provider above
and therefore a person can be traced at a very
least to some organization - and most probably to
exact location just by IP.

d) If the IP assigned by provider - they have a
log of when each user dials in and they have
caller id.

e) Obviously privacy is dead - yes, some people
were screaming about Intels embedded ID's but
look - time passed and all is quiet and ID's
are still there. But then again so are million
other things:
Your credit cards..
All your public records that Uncle Sam will sell
to a first guy with money
All the cameras looking at you from every corner
of every 7-11 store.

Wake up - it's easier to finde a person then
a stock quote today:) Just stop being paranoid..

On the other hand i won't use IPv6 even if
it means i won't have access to anything:
i mean what IDIOT makes a protocol with 128 bit
address scheme and keeps TTL field of 8 bit
(which makes maximal TTL be 256).
With every toaster connected to the network as
soon as we get that many adresses this TTL will
become obsolete in a week. But then whenever
did you see anything making sense coming out
of IETF?:)))

Take my MAC address ... please!

Here it is -- have fun: FF:00:00:00:00:FF

Ways will be found...

[k9-quaint]

A privacy proxy, that does not log connections, could be used by anyone to browse the web in complete privacy. These may even become standard issue along with DNS and mail service. People just don't realize that they have no privacy today.

I am sure however, that there will be some uproar about this by the non-technophiles.

Re:Let me place your foot in your mouth

[mzito]

I'm afraid you don't remember your TCP/IP correctly- icmp is in no way necessary to open up a tcp connection. It is useful, though, for host unreachable messages from the remote router. But, barring that, ICMP is unecessary for a tcp connection.

Matt

Lack of knowledge = lack of outrage

[phil+reed]

Perhaps we weren't outraged because we're not in the habit of reading all the details of the proposal? In other words, we didn't know until now.

Of course, now that we do know, it's time to make it a changable field. Where do we go to lobby to change the standard?


...phil

Re:this guy obviously has a huge chip on his shoul

I'm assuming that '/12' has something to do with the size of the address block. Can someone tell me exactly what it means (and how you 'say' it)?

Re:this guy obviously has a huge chip on his shoul

[cananian]

You still haven't proved that 'friendship' or unfair collaboration caused any of this. Some bad decisions in the beginning (like MIT's class A allocation --- but they've been giving pieces of that away ever since they got it) and a general paucity of the 32-bit address space --- but at the beginning they really thought they had *plenty* and didn't need to pay close attention to allocation. Now we know better. Are the extremely poor allocations still happening? And can you prove that unfair practices were involved?

Re:Waste

Is this large sum of money around $100?

Not much reduced anonymity

[crow]

So if you're using a dial-up account, then your IP address would generally be the same every time you dialed in. This is already often the case with cable modems and DSL. What we're really seeing is another step in the direction of ending dynamic IP addresses.

Currently, if someone connects through AOL, hangs up, and calls back in again, you have no good way of determining if it is the same person. With static IP numbers, it gets easy.

Of course, if you don't have an ethernet card, there's no MAC address to assign an IP number from. So if you're dialing in through a modem, you probably won't see much difference with IPv6.

Lack of dynamic IP addresses is, indeed, a privacy issue, but IPv6 isn't a major part of the problem.

Re:WTF?

I don't think you're realizing the difference between a MAC address and a IP address. A MAC address is a number assigned to your ethernet card by the manufacturer. It is (normally) impossible to change. While selecting a locally unique MAC address would solve your problem in the short-term, I would remind you that you wouldn't be able to retrieve your original... and even if you write yours down, what happens when you swap hardware with someone or your card is recycled. Hardware has a tendency of living a lot longer than badly written software.

Re:Even in windoze

[L0rdJedi]

With MediaOne, you have to call them and give them the new MAC address to enter into their database, then unplug the cable modem to reset it and it would then get the new MAC address from their database and compare it with the one it's connected to.

Don't read the RFCs, read the drafts!

[ViGe]

Using the network card MAC address as part of the IPv6 address is only one way of setting up the global IPv6 addresses (it's unmanaged autoconfiguration used by rtadvd). Alternatives are manual configuration or using DHCP with IPv6 extension.

It's also possible to use the IPv6 stateless manager autoconfiguration (without DHCP) using an interface identifier that changes over time. It's documented in draft-ietf-ipngwg-addrconf-privacy-00.txt. A must read before starting complaints like this.
--

Re:On the other hand...

[Fastolfe]

Given the batch, they can link to a shipment (eg: to a specific store) and so on. The store can then link this to a credit card (or a range of credit card) sale...and on to the user(s).

Not quite. At best, the store would be able to say, "Any one of the people that bought one of these cards between dates X and Y would have a NIC with the MAC address you specify."

Purchases aren't tracked by serial number.

Huh?

Last I checked, the MAC address was only going to be used to generate a link-local address. That particular kind of address is not routed across the internet. There is a prefix that is prepended to the MAC that is non-routable (like the current unregistered addresses) for plug and play local networking. Since your dynamically assigned routable address would come down through the providers the privacy would depend on the policy of your provider in recording address assigments. I haven't read the latest that has come out of the ietf on this, but as of a year ago this was true. Anyone have more info on this? Peter

Re:Huh?

[horape]

Last I checked, the MAC address was only going to be used to generate a link-local
address. That particular kind of address is not routed across the internet.

Nope. If you have a router using radv your ip
will be based on the prefix the router advertizes
and your MAC address.

Don't get your undies in a knot...

[Lord_Rion]

If I recall from reading the spec a while ago.. using MAC's is just one suggested method of providing ip's in the IPV6 world. Considering that you can, in a number of cases, change your devices MAC address, it hardly seems like a issue anyways. Lord_Rion

Can't change 48bit MAC address?

Maybe you cannot change the MAC address directly in Windows, but it is changeable. "ifconfig hw ether aabbccdd" works for me to change it under most any Un*x out there. The MAC only really needs to be unique on a segment. To address the real issue for the masses, this does concern me. I did not know about this issue, as many did not know about the issue with the GUID in M$ Word files. DeFossMeister Unix is user friendly! Its just picky about who its friends are.

Re:Can't change 48bit MAC address?

ifconfig doesn't really change the MAC address, though, it spoofs it by setting the card in promiscuous mode, and letting the kernel filter the packets.

Re:Can't change 48bit MAC address?

I think it only uses this hack on *some* cards, other cards have a built-in function to change the address. When I change my MAC address, the card does not appear to go into promiscuous mode.

Will conformity be checked by anything?

[Tau+Zero]

While the Windoze stack may put the card MAC address in the standard field, I don't see how any computer beyond the first router could know, or care, if that data has been spoofed or not. How many Linux implementations are going to have 00-00-00-00-00-00-00-00 or 07-81-51-12-06-66-66-66, or some random sequence, stuck in that field? Unless the final router uses it to get packets back to the sender (or something like @Home uses it to route packets to the recipient or the bit bucket!), it's going to be completely irrelevant.

So... what am I missing?
--
Deja Moo: The feeling that

Privacy? pff.

[gehrehmee]

I don't mean to sound like I believe all these privacy concerns are over-blown, but could someone clarify what this means to the average user?

1) I may/may not decide to host a web server in the future. Provided I have a moderately secure server, is there really that much of a risk? (Especially considering that I have the option of backing up every bit of information on that server, and that very little information would be hidden anyways...)

2) As an internet client, what concerns should I have? Personally, I don't have a big concern about people tracking where I'm going, reading my posts to newsgroups, or even reading my e-mail... (most of it's fairly bland anyways! :) )

I certainly support the right of individuals to encrypt their data, and cut themselves off from the (sarcasm)immeasurable evil of the internet(/sarcasm), but when these security mechanisms become standard, how do I ensure that my life DOES remain an open book?

Re:Privacy? pff.

>how do I ensure that my life DOES remain an open book?

Try posting your all email on slashdot. However, your karma might suffer. Don't say I didn't warn you.

Ummm

[mischief]

OK. Maybe I'm missing something here. But what's the point in designing a new system of IP addresses if each machine can't have it's own address? When every machine has it's own address, through whatever technology, that will be it's individual identifier - what exactly is IPv6 trying to solve again? I always thought it was an IP address shortage? IP addresses being those things that tell other computers on the internet where yours is.

--

Re:Ummm

[jochen]

The MAC address being part of the IPv6 address is NOT mandatory. It may just be used for autosetup (just like the MAC address being part of an IPX address, as well). It is never used for routing or address resolutions anywhere. Neighbor solicitation and neighbor advertisements do the resolution in the local network and take over the rule or ARP from IPv4.

-- Jochen

I don't see a problem.

A MAC address is just a convenient, unique number that you can make part of your IP address. And currently, your MAC address is less likely to be registered and connected to your name than your IP address.

Systems still will have to give you the option of picking one that's different from your physical MAC address, either because the interface you are using doesn't have one at all, or because you don't want to change your IP address when you change hardware.

So, I don't see a problem with this yet. But perhaps I simply don't understand what the privacy concern is supposed to be.

Come on!

This is one misinformed person. This is what NAT does -- address translation. If you are on the internet, you have a router or gateway or firewall hide your internal addresses from the evil people. Therefore, all you would see would be your outside router's mac address, which is similar to what the router upstream from you already can see -- and you are in reality more identifiable by your IP address than your MAC address.

Re:Come on!

[FugaziMan]

Yea, and you know 100% of the people out there
are using a firewall??... right??

You seem to have missed the point that
the majority of the people out there are
just connected to the internet without
a gateway or firewall, therefore every
where they go which logs IP can be traced
back to their machine.

Any "abuse" to privacy here is insignificant

[grappler]

If you have an ip address of somebody, there are ALREADY better ways to trace it than bothering to try and track down their ethernet card (and many computers don't even use ethernet cards anyhow).

If you want to be anonymous, you would be much better off with mixmaster remailers (for anonymous email), anonymizer.com (for web surfing) and various anonymizing telnet services. In other words, a trusted third party to strip off identification for you.

--
grappler

Privacy article, for article's sake?

[Waav]

Frankly this is not very interesting, and not all that worrisome as explained by most other people who have already posted, so I won't go into the details again.

However, this article makes me think that the guy who's job to write stuff on privacy issues on the net came up empty in the actual real security issues department and said, hey I can still write an article about why people aren't worried about an issue...in other words writing about privacy on a non privacy issue.

He says that the EFF among others has not responded to this latest "privacy threat", perhaps he should have thought for a moment and realized...they aren't responding because there is nothing to respond to.

Status Quo under the guise of change...

[Blackjax]

Just at a quick glance I can't see any fundamental shifts in who has access to information here. Those who can invade your privacy now, will still be able to do so, and those who can't now probably still won't be able to. The only real change I see here is in ease of use for end users and possibly fewer headaches for sysadmins (depending on what they want to accomplish). No more messing around with address configuration in software.

Openboot?

Anyone using a sun box can alter their ip easily. my personal favorite is the example the openboot faq gives... course the sun id is still there and then c0:ff:ee

Not a worry for me

[anticypher]

And I'm one of the biggest privacy freaks you will ever come across.

Read the spec, and understand what that part of the IPv6 address is for. Then you will realise it is not a big bad privacy violation.

The MAC address section of IPv6 is used mostly for locally addressable destinations. It makes an easier job for routers to figure out whether to route the packet.

It is stripped off (or obfuscated) by a router when sending packets out into the big bad internet. Of course, your implementation of a routing process may vary, but other routers would strip it out as meaningless (i.e. the first cisco router).

the AC

And besides, YOU don't have any privacy, get over it! :-) (the rest of us are still fighting, but mostly the good fights)

Re:Not a worry for me

[sumner]

The MAC address section of IPv6 is used mostly for locally addressable destinations. It makes an easier job for routers to figure out whether to route the packet.

It is stripped off (or obfuscated) by a router when sending packets out into the big bad internet.

What makes you think that? "Seperating Identifiers and Locators in Addresses: an Analysis of the GSE Proposal for IPv6" (draft-ietf-ipngwg-esd-analysis-04.txt) says:

"In contrast, connections in GSE are identified by the ESDs rather than full IPv6 addresses. That is, connections are identified uniquely by the tuple: (srcESD, dstESD, srcport, dstport). Consequently, when demultiplexing incoming packets to their proper end point, TCP would ignore the Routing Stuff portions of addresses."

etc. Basically, the RG portion of the IPv6 address can be stripped, but the ESD (which contains the MAC address) can't.

I'm not convinced it's a privacy concern -- witness the "Privacy Extensions for Stateless Address Autoconfiguration in IPv6" draft -- but it sure doesn't seem that the ESD can be stripped.

Sumner

Re:Not a worry for me

It can't be stripped, but it surely can be obfuscated. That is, your local router could pick a random number, and temporarily map it to your MAC address. It can even change it on a regular basis, if it wish, as long as it knows how to translate between the addresses as long as they are used. In other words: It would be easy to set up a router that make the addresses seen by the ouside world meaningless. A nice new feature for Linux? It's just a way to extend masquerading, and for instance make it possible to allow time limited (and filtered of course) reverse connections.

Devil's Advocate

[konstant]

To play devil's advocate for a moment, consider the benefits from allowing packets to be uniquely identified. 0) Firstly, I'm not at all sure that this is accurate. In theory, the client has complete control over its outgoing packets. I don't see why this couldn't be wiped to zero on outgoing packets. It would be a simple app, tho it would introduce some overhead into TCP/IP. 1) If the data section of the packet is being handled by SSL, unique IDs cannot harm you. This is because knowing the originator of the packet is meaningless unless you know what they are saying. The most information a snoop could glean would be that X is talking to Y at time Z. 2) packet spoofing would be far more difficult. Consider all the cracking cases in the last few weeks that implicated a national governmental body, probably falsely. First there was the "Department of Defense" breaking into the Australian stock Xchange, then the "Russians" breaking into the Department of Defense. A few months ago didn't the "CIA" break into something in France. Almost certainly spoofed. 3) PoD and DoS would become vulnerable to intelligent routers. Cisco I know tears its hair out over the susceptibility of its routers to denial of service attacks. But if all the packets bore the same GUID, it would be simple to filter them. 4) If you're super-paranoid, just have more than one ethernet card. That's where they're drawing out these GUID's you know, from your hardware signature. Microsoft does the same thing with the in-house GUID Gen program. 5) plus many more good reasons... :P
-konstant

Re:Devil's Advocate

knowing the originator of the packet is meaningless unless you know what they are saying

Traffic analysis even without plaintext is very useful. They can identify your probable compatriots and know who to subpoena or rubber-hose when they want to get at you.

This has been discussed on Technocrat

[Lalo+Martins]

Was on Technocrat.net yesterday. Summary:

• It's an arbitrary value. You may use your MAC address or you may use something else.
• Your MAC address isn't any more sensitive than your IP.
• One of the main points of ipv6 is to give IPs for everyone, so why not? We will already have to rethink a lot of our "privacy" systems. We do a lot of what Perens calls "security trough obscurity"; relying on dynamic IP for "privacy" is in effect treating a bug as a feature.

Modems dont? your PPP adapter does

[Roofus]

At least under windows. Your NIC mac address usually starts with 00, while your PPP adapter has a number that starts with 44.

Re:Modems dont? your PPP adapter does

[demon]

That's not a real MAC address - it's just a fake MAC address that the machine on the other end of the PPP connection can use for ARP/proxyARP purposes. All Windows machines will report the same thing for the MAC address of the "PPP adapter" device.

Enables micropayments and micropolicies

With this tracking ability big publishers will be able to charge by pageview for web content. So instead of seeing banners, could we be looking forward to seeing charges to our credit card for every weather report, news story, or music track we access? Banners aren't great, but compared to the alternatives, I prefer a net that remains free, even in the beer sense.

And by looking at the type of content, an ISP will in the future be able to charge a higher rate for traffic that has a high priority, such as voice traffic. But this means they need to monitor all your traffic to see what content you're accessing. See http://www.narus.com/ for a company that's doing this right now.

Now on to the free (speech) part of this. This tracking ability could also enable micropolicies. Blocking-by-host and even content customization by host is possible now, but this will make it much easier and much more prevalent to make web content targeted to the individual. Is this a bad thing? Not necessarily, but it greatly increases the incentives for companies to build and trade in user behavior tracking databases.

IETF is not the same asMicrosoft

[23skidoo]

There is a difference between the way the IETF does things and the way Intel and Microsoft do things. If one is concerned about issues like the MAC address becoming the host identifier in IPv6 - as it has alway been in IPX - on could have participated in the - very long, detailed - debate over the specification. Maybe no one is concerned about this because it is a non-issue. Nothing like trying to create controversy on a slow news day, eh?

Re:Why? Some people are silly.

[gothic]

Or maybe because people truely don't generally care. It's not hard for someone to send me logs of them getting nuked (I work at an ISP) Compairing the IP and time to the radius logs and finding exactly who did it. It's even easier with static IPs. Why is there no stink about it? I think because there is no need for a stink. I don't quite follow some certain privacy activists with some of the stuff they say. I think some of them don't quite understand what privacy they already *don't* have... Give it up, if you have nothing to hide, then you don't need to be worried, IMHO. I'm not selling government secrets, so the governement wouldn't look at me very long (Still MO). (proc sarcasm) Until they make it mandatory for the government to watch every packet that flies in and out of my bridge, I really don't care.. (end proc)

this guy obviously has a huge chip on his shoulder

[cananian]

...maybe the geeks picked on him for using windoze?

In any case, the article, while obviously inflammatory, is backed up by very little actual fact. The author didn't bother to actually *call up* any of those 'professional privacy advocates' and ask them himself why this wasn't an issue (in other words, didn't do any real journalism) -- he just whined and complained that the people *who with very little pay occupy themselves with protecting _his_ privacy* thought they knew better than he about the implications of IPv6. And WTF:

You would think that the 32-bit address field of IPv4, supporting more than 4 billion unique addresses, would be sufficient to last quite some time. Unfortunately, the cabal that controlled the disposition of these addresses had a habit of handing out large blocks to their friends, who parlayed these into start-ups with multibillion- dollar market caps. Hence, the "shortage."

That's quite a statement to make unsubstantiated. Very poor journalism. And:

The spooks and weirdos in Washington, ever eager to empower the surveillance state as they fight a rear-guard action against strong encryption, must be thrilled with such a gift. They appear so thrilled that the Institute for Information Sciences, heavily funded by the Defense Department, is writing a reference stack for IPv6 that it is quietly hoping to slip into Windows 2000.

Eh? Since when was "heavily funded by the Defense Department" an automatic stamp of badness? Does this guy realize that close to 90% of *all* the academic research in this (American) country is one way or another "funded by the Defense Department"? Heck, *I'm* funded by the defense department. The whole *Internet* was started by and remains to some extent funded by the Defense Department. This is just lazy scare-mongering by some guy who considers his opinions too obviously important to merit support with real facts.

If this guy is serious, he ought to research and back up his claims. Lacking any evidence to the contrary, I'd just as soon agree with the poster directly above, who claims that this NIC ID doesn't make it past the first router and so doesn't matter. That seems far more likely than the worldwide conspiracy that Bill Frezza would have us believe. If Bill can make a better argument, I'll go over to the standards and check for myself, but he has very little credibility in my book at this point.

More on IPv6 and address privacy

[angio]

The author of the "IPv6 Privacy Threat" article failed to consider a few things. As several people have already pointed out, MAC addresses are spoofable and changeable in many circumstances.

More importantly, the IPv6 spec suggests (not mandates) the use of the 48-bit mac address for use as part of a local-use address. The local-use address as defined has only local routability scope - it will not trickle out onto the greater Internet. This was designed to provide an easy bootstrapping mechanism, and for non-Internet connected sites to configure their computers easily. However, the use of the 48-bit mac address is completely optional; it's not an automatically assigned address.

Third, people who connect to the Internet via a DSL or modem connection don't need to worry. In the DSL case, their IP address is the IP address of the DSL modem. Since their IP address is provider assigned, and their DSL modem is provider assigned, there's no difference! A user who dials up via a modem will have an IP address assigned by their provider, just like they do now, and it will have no correlation to the hardware address of anything they own.

For more infromation, Robert M. Hinden has a great article, "IP Next Generation Overview". Alternately, the story posted in the Times a few weeks ago provided a cogent introduction to the reality, not the hype, of IPv6. If you're an RFC type, check out:

• aloni.com's IPv6 resources which include a fairly full list of the IPv6 RFCs.
• Or just look directly at RFC 1887, the IPv6 unicast address allocation document.

Re:Scores?

[toast0]

Its called moderation, its done by the masses, basically logged in users have a chance to get 5 moderation points to use within 3 days of getting them, and they can't moderate in the same thread as they post.
you can read the moderators handbook for more info
if you make an account you can set it never to listen to moderators and show everything

TTL

[Cuthalion]

Interesting points, but I'm not sure about the TTL one..

i mean what IDIOT makes a protocol with 128 bit address scheme and keeps TTL field of 8 bit (which makes maximal TTL be 256).

Assume that each physical network has 8 links to it. Every time the size of the network increases eightfold, the maximum TTL needed to use all of that network goes up by one. Addresses run out MUCH faster than TTL's, as the network grows. Sure, there is going to be a lot of variation in size of subnets, but on the whole the net is much more broadly connected than it is deeply connected.

Both TTL and address bits required grow logarithmically with the number of nodes, but TTL has a much higher base to that log.

Re:TTL

[HeghmoH]

Yes, the TTL and number of address bits both grow logarithmically as the network grows.

However, the number of bits in the TTL grows logarithmically as the TTL grows. So the number of bits for the TTL grows as the log of the log of the number of nodes in the network. A TTL of 256 is really, really big; on the internet today, it's rare to see a routing that takes more than 20 jumps. I seriously doubt that will significantly increase when IPv6 arrives.

No NIC!

[rasterboy]

Hmmm, the PowerMac I've got at home does dialup, and has no ethernet card... neither does the older Mac that my kids use...

Will there be 'black market' ethernet cards?

Can I install 3 NIC's?

Not an issue

[sys$manager]

After Y2K hits, we'll all be using DECnet anyways. Well, that's my master plan. You shall all be banished to OpenVMS! Muhahahaha!

IPv6 and privacy

[jd]

Ok, let's take a look at this.

• IPv6 mandates that each port have a unique IP address, that that address be configured by the network in a unique way at the time of connection and any time the network changes, and that that address have a lifetime only marginally longer than the period of time that the topology higher up the heirarchy to that port remain the same.

  (In other words, if you move, your ISP moves, their ISP moves, etc, right up to the backbone itself, you are GUARANTEED a new, unique IP address. You are ALSO GUARANTEED that your old IP address will remain valid, and pointing to you, for a transition period.)

• IPv6 also mandates that IP number clashes should be impossible, irrespective of user activity or mobility, or network topology changes.

  (This is not trivial. Not only does this require that your IP address is unique, when you connect, but that you are given a unique address, should you move, whilst still connected, AND that anyone connecting or moving over to your old ISP at the time you're transitioning will ALSO gain a unique IP address. In other words, they can't be assigned your old address, and you can't be assigned their old address, because that violates the uniqueness during the transition period.)

• The use of the MAC address is an optional, but preferred, way to ensure this uniqueness. There are perfectly viable alternatives. Simply having the router assign a number out of a list wold work. It comes to the same thing, really.

• IPv6 has many more mechanisms for privacy (eg: IPSEC, non-spoofable routers, etc.) than IPv4. The use of the MAC address, even if you opt to use it, doesn't help anyone locate you, or find anything out about you.

• You can remotely ask for the MAC address of a number of devices, anyway, using good old IPv4. Only difference is that you can't restrict who asks.

Other concerns

[silversurf]

If I remember right, the IPv6 spec also includes the capability to assign a portion of the address based on MAC and location(?). Or something to that effect (I could be totally off-base here, I saw a talk about IPv6 that discussed it in that way). Basically the idea being that it makes it much easier for packet to find you and for your packets to route as quick as possible to their destination.

IPv6 is trying to address the problem of "dumb" packets that get shoved willy-nilly through routers as they are shuttled from one place to the next in search of their destination. IPv6 is supposed to provide a "smarter" packet that allows it to take the shortest possible (and quickest) route to/from a destination. All of this being done on a location basis. The MAC address, I believe, is used as a unique identifier to help keep addresses unique.

I noticed a post that stated that there is no "database" for MAC addresses. I don't know if totally believe this. Every manufacturer produces a unique address for each card produced, thus guarenteeing that no repition will occur, especially since routers and switches cache and use the info heavily. So, how do they know who is making what MAC address? Also, a MAC address maybe easy to change, but how many users know how to do that?

I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.

my $0.02,

colin.stefani

Re:Other concerns

[gid-foo]

Well then it's time for you to do some research. Using one idiot journalists unsubstantiated and entirely biased opinion to base your fears off is well, baseless. You could try reading draft-ietf-ipngwg-addrconf-privacy-00.txt for starters and then go from there. The beauty of the IETF is there is no secret cabal. It's all there to be read. Try checking out the last 3 years worth of IPSEC stuff and the IPng mail list for further info. I'm sure everything is out there. gid-foo

Re:Other concerns

[Fastolfe]

I noticed a post that stated that there is no "database" for MAC addresses. I don't know if totally believe this. Every manufacturer produces a unique address for each card produced, thus guarenteeing that no repition will occur, especially since routers and switches cache and use the info heavily. So, how do they know who is making what MAC address? Also, a MAC address maybe easy to change, but how many users know how to do that?

I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.

The MAC address is implemented just like a serial number. E.g. Batch 1 gets MAC address 1-100. Batch 2 gets 101-200. There is no "database" that the company has somehow managed to compile that links your MAC address with anything resembling your identity. You think the stores they send these NIC's off to turn around and report back to the manufacturer with your identity and buying habits? It doesn't happen.

Don't be so paranoid. Companies tend to only spend resources on things that will earn the company a profit. An internal database of MAC addresses earns the company absolutely NOTHING. The infrastructure required to create and maintain such a database for zero profit (or even useful market research, as MAC addresses are nearly useless for doing any real tracking) just doesn't seem like a likely thing for a company to do.

In order for this to even be remotely successful, you'd have to get all of the NIC companies and the VENDORS themselves together on the conspiracy and have them all sharing their MAC addresses and databases of customers and buying preferences. This doesn't seem very likely.

In fact, if someone wanted to track your Internet activity, it would be FAR easier for them to break into your ISP, track your dynamic IP addresses as they're assigned, and monitor your traffic that way.

Re:Other concerns

[Tau+Zero]

An internal database of MAC addresses earns the company absolutely NOTHING.

But if that MAC address can be used as a globally-unique key to identify a machine (and, in all likelihood, its regular users), it becomes even more valuable than a cookie.

In order for this to even be remotely successful, you'd have to get all of the NIC companies and the VENDORS themselves together on the conspiracy and have them all sharing their MAC addresses and databases of customers and buying preferences.

No, all they have to do is build up a profile of access patterns for each MAC address, which builds a picture of the user(s) of that computer; even if you succeed in remaining entirely anonymous or pseudonymous, every access can be related to every other. The first time you do anything on the Net that associates that MAC address with your name, all of your past anonymous and pseudonymous activity is instantly "outed" (and all of your future activity ditto).
--
Deja Moo: The feeling that

What if I switch Ethernet cards?

[MobiusKlein]

If I switch Ethernet cards, does this mess up my IP address to the world? And have to wait for all the DNSs to get the new address?
Or it seems more likely that (as others have said) that routers will strip out this info.

Re:What if I switch Ethernet cards?

[horape]

If I switch Ethernet cards, does this mess up my IP address to the world? And have to wait for all the DNSs to get the new address? br If your address is in a DNS you'll be probably using a fixed address, not an autogenerated one, so your MAC won't be there...

Simple solution.

[Zurk]

Compliments of the linux.com tuning guide :
On a related note, you can also have your card use a different MAC address

ifconfig eth1 hw ether deadbeef0001
(this needs do be done while the card is down for obvious reasons)

now your card will answer all arp requests with DE:AD:BE:EF:00:01.

Note:
The kernel performs this trick on most cards by setting the card into promiscous mode and using software to filter out all MACs that
aren't yours which stands to reason it would be slightly slower than just using your real MAC.

Re: knowledge = lack of outrage

[anticypher]

I've read the RFCs, and there was no outrage on my part. I've sniffed v6 packets off of ethernet and from frame relay and ATM, with nothing triggering any moral alarms.

The field can be anything, it exists so that a bunch of machines plugged into a hub without a router can route packets to each other. It is also there so a router can make some fast decisions about what needs routing, and what is local.

The EUI field can also contain IPv4 addresses, Novell IPX addresses, OSI NSAP, etc. So anything can be put there, and as long as the u/l bit is switched to local, nobody cares. It is the local router who has to decide how to deal with incoming packets.

the AC

read RFCs 2460 to 2473, and especially 2373. Worry less, read more.

Let me place your foot in your mouth

[infojack]

Why must everyone on slashdot run around yelling without even know what they are yelling about.
If I send an arp request to you, your machine will send back your MAC address. Don't beleive me, well use your leet slackware hacking skills and type "arp" wooohoo look at all those hardware adresses.

Re:Let me place your foot in your mouth

[Buffalo]

You are correct.

Re:Let me place your foot in your mouth

[PimpSmurf]

let me see... I think a capture is in order...
pimpsmurf:~# arp
pimpsmurf:~#

not seeing anything here
and I do beleive arp isn't in my kernel...
ahhh yes.
Why dont you take your leet redhat rpm skills...
and... well... gonna keep this clean.
therefor. no mac addy.
funny. I hate it when YOU run around screaming...
without knowing what YOU are talking about.

Re:Let me place your foot in your mouth

[Octal]

Then try:
cat /proc/net/arp

Of course, this will only show hardware addresses on your subnet, not of everyone you send and recieve backets from, but oh, well.

Re:Let me place your foot in your mouth

[nevets]

Doesn't arp only get the MAC from the nics connected directly to the computer, and not go past routers. For example, can you get the MAC from the slashdot.org machine?

Where as the IPv6 sends the MAC all the way to the connecting machine, past all routers and all.

If I am wrong, please correct me politely :)

Steven Rostedt

Re:Let me place your foot in your mouth

[PimpSmurf]

again... if arp isn't in the kernel...
there wont be anything.
ever.

PimpSmurf
(not insulting your intelligence... just a comment. many linux folk dont recompile a kernel...)

Re:Read The RFCs hmmm...

I hear there's some new privacy group at ompages.com that is trying to be a big VPN that anyone can join... I wonder how they'll manage to deal with this little privacy issue; could be a deal buster; too bad really it looks like a good idea; hope they work it out

Waste

Argh, so much talk about "Big Brother" and so little about the huge waste. 48-bits of address space is 65,536 times larger than the address space of IPv4 (32-bit). Think about that, we're hitting a wall now (e.g., I can't get IP addresses I need for my customers so they're just not connecting to the Internet), and a clueless standards organization wants to waste over 65,000 times that amount just to store a few (probably one or two, but a few hundred at most) address. The 48-bit MAC addresses are already pretty sparce with the way they are assigned. I believe (hadn't looked at the spec in 10 years), that the MAC addresses are assigned by the IEEE (actually bought for a large sum of money) in blocks of 4 billion (2^32). So, company X gets 4 billion addresses, and then makes 200,000 cards. The other 3.8 billion addresses are never reused. My old employer bought a block in 1988, and only used a few dozen MAC addresses. Those 4 billion+ addresses we wasted are going to be wasted yet again in IPv6. So, you take MAC assignment inefficiency and add it to IPv6.

Please, attack this plan for not only privacy reasons, but also because it is wasteful. In 20 years, I don't want to have to still spent 25%+ of my time renumbering equipment like I have to now.

Re:Hey, you used the wrong #include

it should be:

#include "assimilate.h"

to go along with comment #3... :-)

Even in windoze

[anticypher]

Since I'm stuck on a win machine, I went to look. Both on 95 and NT.

In the network control panel, select the card driver, then properties.
Go to the advanced tab, in properties there should be a Network Address. Change it from Not Present to Value, and enter a valid 12 character string, with no colons or dots or spaces.

I think you have to reboot after that. I know this is becoming wider spread because home users on cable systems find they are tied to their original MAC address, and when they swap machines the internet stops working :-) There are lots of how-to for dummies cheat sheets going around for cable subscribers.

the AC

What's in a MAC address?

[PigleT]

I agree entirely. I can't see what facts this author is basing his drivel on, as we've been able to use 'arp' to dump machines' IP# MAC address correlations for a while...
I also heard that IPv6 was going to be end-to-end encrypted, too - that wins big in my book any day.

What's in a MAC address?

[PigleT]

I agree entirely. I can't see what facts this author is basing his drivel on, as we've been able to use 'arp' to dump machines' IP# MAC address correlations for a while...

I also heard that IPv6 was going to be end-to-end encrypted, too - that wins big in my book any day.

No outrage? Because the people aren't uninformed!

[Fastolfe]

Yet another example of an article full of posts by people that have NO CLUE WHAT THEY ARE TALKING ABOUT.

The IPv6 spec SUGGESTS that the MAC address be used as an interface/link identifier (which must be unique). It's quite possible that this address would be reconfigured to something else in very short order. By setting the IPv6 address immediately with a known unique value, you have an instant (even if temporary) address with which to request a proper one.

OBVIOUSLY not every network interface has a MAC address (such as serial links and tunnels). For those types of situations, some other pseudorandom number should be just as effective, so long as it doesn't conflict with somebody else on the LOCAL subnet (the interface ID only makes up *part* of the address, remember). In the case of dialup links, the address class we're talking about here probably won't even be needed to be figured in advance -- it could be negotiated as part of the PPP process.

There is no privacy issue here. There are no evil NIC manufacturers in cahoots with the vendors to build a global database of all MAC addresses and your identity and buying habits.

Quite frankly, I am rather EMBARRASSED by the number of Slashdot posters who regularly post crap like this on threads. They make NO effort whatsoever to independently verify anything they start violently complaining about. They just assume that the BIASED take they just read was ABSOLUTE, 100% accurate and researched TRUTH.

THIS IS NEVER THE CASE.

Did you ever stop to think that maybe there's no outrage over IPv6's MAC recommendation because THERE WAS NO REASON TO BE OUTRAGED?

A bit of light reading for those that want to talk in an intelligent manner (in other words, no idiotic paranoid conspiracy theories):

• RFC2373 - IP Version 6 Addressing Architecture (esp. section 2.5, 2.5.1 and Appendix A)
  
• RFC2460 - Internet Protocol, Version 6 (IPv6) Specification
  
• RFC2374 - An IPv6 Aggregatable Global Unicast Address Format
  

PLEASE PLEASE PLEASE FOR GOD'S SAKE THINK AND RESEARCH BEFORE YOU POST.

It doesn't matter! (Real world example of why)

Whenever I connect from anywhere in the world, I have to be using an IP address (duh!). Every single IP address is completely traceable given the knowledge and the desire to trace it.

For example, I have set up security monitoring on my webserver that will notify if anybody runs a port scan on my server. If the scan is detected, I am notified and their route is automatically dropped so that they cannot touch my system again.

Now, at one point I had somebody who was repeatedly attempting to scan my system. Over a period of a couple weeks, I kept getting scan warnings from the same block of IP addresses (the same IP wouldn't work twice because of my blocking, but they could scan from multiple addresses). Normally I could care less about a random scan as it is relatively harmless, but if somebody is being persistent I'll try to do something about it as they might figure out what I'm doing and try to find another way in.

So, I went to ARIN and did a search for the IP addresses. ARIN informed me of the provider they were assigned to. I then e-mailed that provider to inform them that somebody may be using their network to attempt to break into other systems. I included the times and IP addresses for all of the scan attempts. As it turns out the IP addresses were in a modem pool, and of course access to these modems were logged.

Needless to say I haven't seen another scan from that address since.

Re:Scores?

[puetzk]

It works like this - registered users sometimes are granted 5 moderation points, to use as they see fit to raise or lower the score of an article. See http://www.slashdot.org/moderation.shtml for details.

registered users posts start with a score of 1, anonymouse coward posts (like yours) start at 0. I believe that registered users posting anonymously still get their +1, I'm not sure.

If you'd like to get a default score of 1 for your posting, just register. If you'd lie to change your default browsing level to 0 (or -1, raw and uncut), just register for an account. Quick and painless.

It helps someone with little time find the more relavent articles. If you think articles are being unfairly moderated, you should get an account, always login, and be an active reader/poster so that you will raise the probability that you'll be given some moderation points. Or try to become a meta-moderator (so that you can vote down moderators decisions, which hurts their karma, which means they won't get more moderation points for a while - unless the other meta-moderators disagree with you and vote it back up with their points).

So basically Slashdot as a community polices itself.

The Matrix is going down for reboot now!
Stopping reality: OK

Question..

[MikeFM]

Does IPv6 require centrally dispatched IP's the way v4 does? ie will I still have to pay some schmoze monthly to use some number? I personally would just like to have my public encryption key as my IPv6 and let packets sent to me be encrypted with that key. If I need to kill that key and make a new key then I'd love to be able to do so. Honestly how high are the chances for IP collissions with 2^128 addresses? That is a freakin big number. On the rare occurance of a collission it could just encrypt a new key for both systems and start again. *shrugs*

(READ THE RFCS!) Re:This guy must hate ATM.

[pingbak]

Fortunately, almost no one really takes ATM seriously. Thank ! Also, your point is a little misguided, since someone in the middle of the ATM network has to trap your UNI cells to figure out the ATM address the circuit came from. There's also the possibility of interrogating the user's switch for its VC table. But just looking at some cell stream can't tell you the ATM address to whom it belongs. At least not immediately (you might see some OAM cells that carry interesting information). OTOH, it's not easy to subvert the PNNI routing or (as is mostly the case) the static PVP/PVC routing.

And yes, the IETF neterati ABSOLUTELY HATE WITH A PASSTION ATM. But... I digress...

There is an RFC which encodes the ATM ESI, stripping off the 13 byte NSAP prefix.


-scooter

Re:this guy obviously has a huge chip on his shoul

the cabal that controlled the disposition of these addresses had a habit of handing out large blocks to their friends, who parlayed these into start-ups with multibillion- dollar market caps. Hence, the "shortage."

Lacking any evidence to the contrary...

@Home's 24/8. That's evidence times 16 million. Do you want more? More examples of ISP's who can't grow, because the don't have IP addresses? More examples of allocations to companies that can't use them, but they got them, because they paid a lot?

Simple solution...

[Wakko+Warner]

Don't be a lame skript kiddie, and nobody will have any reason to need your MAC address. It's not like it'd be incredibly difficult to figure out who's got what IP anyway.

I really don't see this as a usurping of my freedom. Maybe I'm just not paranoid enough.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:Simple solution...

Don't be a lame skript kiddie, and nobody will have any reason to need your MAC address.

It's called "privacy", and it means having nothing to hide isn't reason enough to continually identify yourself to every busybody out there.

Much Ado About Nothing.

[Wakko+Warner]

I don't see how, as others have said, this is any different from having your IPv4 address sent around the Internet in IP packets. Once there's a way of matching a name, face, and address with a NIC card, I'll become the slightest bit worried. Until then, I have more important things to care about, and, apparently, so does the rest of the world.

This is not an outrage. This is not even invasive. Hell, you can change your MAC address most of the time. If you're worried someone will find it easier to catch you DoSsing others on the Internet, well, that's your problem.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

This guy must hate ATM.

[sammy+baby]

Okay, my familiarity with asynchronous transfer mode leaves something to be desired. However, this much I'm reasonably sure of:

Any device on an ATM network is uniquely identified by a 20 byte address called an NSAP (for Network Service Access Point). The NSAP is established during a process called ILMI (Interim Local Management Interface), during which the station contacts the nearest switch. It's a little like DHCP: the end station says, "Hey, what's the prefix for my switch," and once it gets it, it tacks on its own ID to the end. That becomes the full NSAP address for the end station.

And, if I'm reading this article correctly, it's very similar to the way in which IPv6 assigns IP addresses. Which leads me to wonder why the author isn't raising a hue and cry about ATM, which has been with us for a few years now. The only thing I can conclude is that the author was more interested in raising some hell than in doing accurate reporting.

Re:Lack of knowledge = outrage

[Gromit#35]

You are really accusing /. readers of lacking in knowledge? About an issue like *this*? Speak for yourself!

In fact, while *you* might not find RFCs light bed-time reading, there ARE many people here who are fully cognisant of the issues. Which is why it *hasn't* been an issue.

I don't understand some of you people. Are you looking to stir? To cause trouble? Don't be so *quick* to take umbrage at the slightest suggestion that there may be a Bad Thing going on. Don't leap up and say 'where can we lobby?'. The worst thing you can do for any issue is to loudly protest about things you don't fully understand - you can only serve to make a fool of yourself and you may even weaken the case of the cause you are trying to fight for.

Go back to lurking first. See what the learned people have to say first. Do some research. Educate yourself.

*Then* open your mouth.

What a plonker!

[Greyfox]

If you have static IP's now, your privacy is no less secure (Especially if you have a domain name.)

If you have dynamic IP's, all I need to find out who you are is your IP address and a time that you were logged in. I'm sure that many of us have forwarded logs of attacks or port scans to various ISP's. They may not tell you who the user is, but they will usually take action against that user, and don't doubt for a second that they can find out who the user is.

What Microsoft does is much worse, essentially tattooing your mac address onto every file you create for all of eternity, and keeping a database of those addresses when you register your software. Meaning they can look at any document and tell you who it came from. This might be distressing to you if you wrote a Melissa virus or maybe if you found out your company was being naughty and sent an document to some third party who posts it on the web for you while trying to protect your identity. Not that Microsoft has ever had anyones best interest in mind other than their own...

Besides, I could set up system up to change my mac address to something random every time I boot if I wanted to. Mac addresses aren't carved in stone, either.

This guy is making a whole lot of something out of a whole lot of nothing. Must be a slow day.

EUI-64 does not infringe on privacy

[bbraun]

The currently proposed IPv6 addressing scheme called EUI-64 does not infringe on privacy issues. It is true that some Ethernet NICs have the ability to change their hardware addresses, some can't. There are also duplicate MAC addresses anyway.

I have not seen much discussion that shows people how much they are giving away already. Just to post this comment I had to give up tons of private information, and Andover now has most of the information people are giving away PC's for. So, it's not like the current situation is so private anyway.

Now, even with the EUI-64.txtaddressing scheme proposed in RFC 2373, does not *require* the use of a hardware address in the lower 64 bits. For "Links without Identifiers" you can use an identifier which is assigned to the node itself. You can give yourself a unique identifier if you choose, which is just what an IPv4 address is supposed to be. And you can bet that Linux and the other free operating systems will give you this ability from userland. I doubt the same thing will be true of other proprietary operating systems, but they might. When using a proprietary operating system without source, you don't have a clue what's happening anyway.

Further exerpts from the RFC:
If there is no global interface identifier available for use on the link the implementation needs to create a local scope interface identifier. The only requirement is that it be unique on the link. There are many possible approaches to select a link-unique interface identifier. They include:
Manual Configuration
Generated Random Number
Node Serial Number (or other node-specific token)


Synthetic Truth: please RTFM!

Re:this guy obviously has a huge chip on his shoul

[previous poster noted the journalist's attack on the way IP addresses are allocated by ARIN and formerly InterNIC]

It sounds like the journalist or one of his good friends or family has been screwed by the address allocation policies of ARIN (and previously the InterNIC). I can understand his hate. I'm losing customers now, because I can't get more addresses. I lost a customer in August that would have had 40 offices connected to me via frame relay, because it took me over 6 months to get enough addresses freed-up to handle their machines. MIT and CMU have 16 million addresses each, and I can't get another address so I can connect another dedicated customer or another dialup port. @Home got 24/8, and they only have a couple of thousand customers at the time. His claims are unsubstantiated, but the frustration and hard feelings aren't. Even after writting a $5,000 check to ARIN for a /20, I still don't have one. That's more than I pay myself! ARIN claims they won't assign it because I don't need it. I'm using a /22 from MCI and 4 /23's from another provider. I qualify. I've spend almost 50 hours a week renumbering equipment over the past two years, because I'm having to reclaim blocks. Yesterday, I moved a customer with 29 computers from a 64 address block down to a 32 to free-up half of a class C for a new customer. When my old customer adds two more computers, I'm going to have to renumber them again. It's killing me. Rather than working on finishing my OpenSource ISP billing software, I'm forced to drive-out to customer sites, change router configs, and help change machines (or a single DHCP server, if I'm lucky). It's yet another case, how large businesses use their position and cash to screw-out their smaller competition. And, you complained that the journalist needs to back himself up...

Re:MAC addresses as the bottom 48-bits

[bbraun]

It's not the bottom 48bits.
The 48 bits are used, but break it into 24 and 24, put an 0xfffe between them, and you've got your 64bit identifier.
RFC 2373 IP Version 6 Addressing Architecture

What's the problem?

I can't see any problem with ipv6 numbers being traceable. Only script kiddies, kiddieporn traders and people downloading porn at their workplace might might object, and their objections just don't deserve to be taken into consideration. The internet would be so much better off without them.

Wasteful? Oh, please.

[Wakko+Warner]

The IPv6 spec calls for 128 bit IP addresses. You know how HUGE that is? "wasting" 48 bits of it amounts to a grain of sand on a seashore, or a blade of grass in your backyard; it's absolutely immaterial. You've still got 2^80 IP addresses to play with -- that's 1,208,925,819,615,000,000,000,000 addresses even AFTER you've used up 48 bits with the MAC address.
Hell, wasting even a few trillion addresses wouldn't mean squat.

Once we start giving a few hundred billion IPs away in every cereal box or package of sports trading cards, I'll be slightly worried.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:Why? Some people are silly. My oops

[gothic]

I guess I shouldn't of been so general in that statement.. For that, I apologize. =] The point I'm trying to get across is about having the MAC on an IP wouldn't much of a big deal since even having an IP can lead back to the user. I would assume the only real people that would be bothered by this would be some uninformed script kiddie. But this is just my thinking, I would be happy for someone to show me a scenerio where this is a very bad thing to have. But, through my eyes, I don't quite see the difference of having a MAC addy tied onto an IP, or just having a IPv4 IP..Though I am willing to let someone proove me wrong with a better point then what I have. =]

Does this make ipv6 insecure...

[bug1]

Or less secure than ipv4, if packets basically have the mac address embedded in them, could you spoof ipv6 like you spoof and hijack tcp/ip connections on a lan (try experimenting on yourself with hunt if you dont know what i mean)

Re:Scores?

[Mononoke]

RTFFaq!

Oh, and welcome to /.

--

What does IP addresses got to do with security???

I am quite interested in computer security, but I must say I had to sit on my hands to prevent them from tearing my hair out...

Anu geek can configure his IPv6 address to include some unfriendly geek's MAC address. So? The same geek could just as well write an ascii document, print it on his line printer and go to court, saying he has *proof* the other geek will comm it ritual suicide (including a rubber chicken and some goat-blood)... The IPv6 address is free to be set to whatever, the auto-config rfc suggests usin g the MAC address (or equivalent for ISDN etc) to easily get a sort of "good random number", so that any collision for an automatically generated IP address is highly unlikely.

And hey, what is this about "an IPv6 stack silently beeing snuck into Windows 2000"??? Microsoft Research has an IPv6 stack out, and it is in fact quite good. (It beats Linux's totally incredibly messy support-program "distribution" anyways.) If Microsoft includes their IPv6 stack in Windows 2000 it will NOT be done quitely...

As for routing, the IPv6 routing scheme is not flat as IPv4, but hierarchial (???) so when we pass a few billion machines, we will quite easily be able to route them.

"It looks like the geeks screwed up this time, though. I hope they have the wisdom to fix things before it's too late."

It looks like the flamers screwed up this time, though. I hope they have the widom to think about the things before it's too late.

N

Re:Why? Some people are silly.

[Ferzerp]

"Give it up, if you have nothing to hide, then you don't need to be worried, IMHO. "

Ewww, bad, bad, bad way to look at *anything*. I don't even think I need to point out the implications of this line of thinking, but I will anyway. How about, hmm, mandatory backdoors in all encryption. You have nothing to hide in your e-mail, etc, so why should you care? Or maybe let's tag your IP address with say, your social security number. Nothing to hide? Well then, don't worry.

Or we could go for more material things. Oh, well, you are an honest law-abiding person, I suppose the new mandatory weekly house searches will give you no cause for alarm.

Sorry, I realize the house one is a bit overboard, but seriously, this is a dangerous line of thinking. Who was it that said something like "Those who surrender liberty (or freedom, can't remember the quote) for security deserve neither (or is it will soon find themselves with neither?)" anyway, you get the picture.

On the other hand...

[FallLine]

I agree that the idea of a central database is ridiculous. However, playing devil's advocate, an organization such as the FBI could take a specific MAC addy, and trace it back to you.

The manufacturer undoubtably produces the cards in batches, and the MAC addresses are assigned sequentially most likely. Using this they could relate a given set of MAC addresses to a batch. Given the batch, they can link to a shipment (eg: to a specific store) and so on. The store can then link this to a credit card (or a range of credit card) sale...and on to the user(s).

Though this hardly conjurs up images of the NSA or any other organization doing this on a regular basis. There are certain situations where I see it being an issue. For example, lets say if you are a crypto expert. And you, using some anonymous internet service (which can't and won't reveal your address) post some ground breaking algorithm which the gov't legally doesn't want published. The forum which you post on discloses your ip address. So the gov't armed with your MAC addy traces the addy back to a certain retail store. Even if they can't exactly determine which sale was which MAC addy, they can narrow the search down to, say, 200 possible people. They can also reasonably infer that you're a known crypto-buff or local math professor, or something along those lines. And the odds are very high that they would come up with just your name. None of these techniques are too far beyond what the FBI has used to the past to trace other criminals(flecks of car paint, shoeprints, etc).

I personally don't find this news that concerning, but its something to think about.

Re:On the other hand...

Publish crypto through remailers or something. If the Man has your IP address, they hardly need your MAC, even assuming you were foolish enough not to change it.

Ignorance of IPv6 is amazing!

[JerseyTom]

I'm disappointed that this article shows a basic lack of understanding about IPv6.

I'm MORE disapointed that all the replies on slashdot show they underestand EVEN LESS ABOUT IPv6 Here's the issue: A host's IPv6 address will be 128-bits long. the last 48 bits are going to be the same as their Ethernet ("MAC") address.

Therefore, if I plug my laptop in at work, it will have one address, and if I plug my laptop in at a Internet Cafe, it will get a different address. However, the last 48 bits of both addresses will be the same.

Someone had the mistaken impression that the entire IPv6 address would stay the same no matter what. That's not true. That would make routing very difficult.

Someone else pointed out that the Ethernet "MAC" address of a host can be changed in software. Yes, that is true for newer NICs. However, the average user will not know how to do that.

So, the big issue is that other people will be able to trace a computer as it moves from network to network. In IPv4 one could trace an IP address back to a particular ISP or company... but then you had to rely on the local admins to break any confidentiality to get to the exact machine.

With IPv6 if you catalog the last 48 bits of all the hosts that connect to you, you will eventually be able to coorelate where hosts are moving.

Is this a requirement of IPv6? Not really. This was done to make host configuration without DHCP possible. (There is a DHCPv6, but it only adds features to the native host configuration "AutoConfig" stuff built into IPv6). A IPv6 stack could choose to pick random numbers instead of using MAC addresses. It would just be a simple matter of programming.

Oh, there is one more point I'd like to debunk. That IPv6 development is U.S. Department of Defense funded. Well, they fund a little of everything, so don't get all worried. Heck, they funded the original IPv1 thru IPv4 development too. So deal.

Re:Ignorance of IPv6 is amazing!

[Lion-O]

I know its not my job to moderate but I guess if no one tells you... is the code to stop the bold stuff. Sorry to say but I find your article very 'offensive' to read due to the bold. I'm quite sure many feel the same way

btw; I do not intend this as being a flame.

draft-ietf-ipngwg-addrconf-privacy-00.txt

[K-Man]

From http ://search.ietf.org/internet-drafts/draft-ietf-ipng wg-addrconf-privacy-00.txt:

2.3. Possible Approaches

One way to avoid some of the problems discussed above would be to use DHCP for obtaining addresses. With DHCP, the DHCP server could arrange to hand out addresses that change over time.

Another approach, one compatible with the stateless address autoconfiguration architecture would be to change the interface id portion of an address over time. For example, upon each system restart, select a new interface identifier different from the ones used previously. Changing the interface identifier makes it more difficult to look at the IP addresses in independent transactions and identify which ones actually correspond to the same node.

In order to make it difficult to make educated guesses as to whether two different interface identifiers belong to the same node, the algorithm for generating alternate identifiers must include input that has an unpredictable component from the perspective of the outside entity's collecting information. Picking identifiers from a pseudorandom sequence suffices, so long as the specific sequence cannot be determined by an outsider examining just the identifiers that appear in addresses. This document proposes the use of an MD5 hash, using a per-interface "key" that varies from one interface to another. Specifically, we use the interface identifier generated using the normal procedure [ADDRARCH] as the key.

MAC addresses as the bottom 48-bits

[dave2]

I understood that it's only a recommendation that the bottom 48-bits is your MAC address.. The reality is that if they did force it, you'd be throwing away a huge amount of address space.

Someone needs to hit this guy up the side of the head with some reality.

Re: My oops (eh, it's ok)

[Ferzerp]

Actually, anyone who knows that they are doing goes through another box to be anonymous anyway. Usual scenario. Person breaks in to a *very* poorly maintained box, cleans log files, leaves a backdoor, etc. Then person uses that box to make themself anonymous for their other attacks.

Notice I won't use the term hacker or cracker.
There is a hacker crowd, or programmer crowd.
There is also a cracker crowd, or group that defeats copyprotection, uncripples shareware, etc.
Now, consider this. The hacker crowd that calls themselves hackers do not appreciate the term when used on what they call "crackers," but I think that it is just as rude of hackers to call them crackers because there is already a group that calls themselves crackers. So the hackers are doing to the crackers what the media does to the hackers when they call the people who break in to systems hackers by calling these same people crackers. There needs to be a whole new term in my opinion. Maybe infiltrators, or something like that.

Quite serious

[Robert+S+Gormley]

This point is moderated as funny, but is actually quite serious. Has anyone thought of the privacy concerns of static IP addressing?

If DoubleClick et al know that all users have static IP addresses, it won't be enough to just turn off cookie support in your browser.

Granted, it isn't a catch-all... companies will still use proxy servers etc for efficiency, and geeks will still use JunkBuster, but it does raise an interesting point.

Change your MAC address, silly.

If this is that big of a problem, someone can hack something up in a few minutes that will change your MAC address to something new (and unused on your subnet) every night at around 4:30 AM when you probably aren't in the router's ARP cache anyhow.

These addresses are _LINK LOCAL_

ifconfig:

eth0

• Link encap:Ethernet HWaddr 00:00:E8:78:4E:2D
• 
  inet addr:192.168.2.12 Bcast:192.168.2.255 Mask:255.255.255.0
  inet6 addr: fec0:0:0:1::42/64 Scope:Site
  inet6 addr: fe80::200:e8ff:fe78:4e2d/10 Scope:Link
  inet6 addr: fe80::e878:4e2d/10 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:1770727 errors:0 dropped:0 overruns:0 frame:2
  TX packets:587816 errors:2 dropped:0 overruns:0 carrier:2
  collisions:3465 txqueuelen:100
  Interrupt:11 Base address:0xe400
  

Note the bit that says "Scope:Link" on the fe80/10 addresses. As I understand the ipv6 specs the fe80/10 range of addresses chain through to the MAC address namespace, providing a convienient way to get a 99% guaranteed unique address for comms on the local physical lan segment as soon as the device is brought up.

The Scope:Link bit means that it will not be routed at all. ie. limited to the physical lan segment to which the interface is attached.

The Scope:Site fec0/64 address will not be routed beyond out of intranet, but could be between different fec0/64 networks on your site, as I understand. This is the analog of the 192.168.x.x/24 networks in ipv4

So, since packets originating from the fe80/10 addresses (whose low 48bits are the interfaces MAC address) never leave your immediate vicinity, they do not present a very great privicy threat.

Cyan Ogilvie

Half of the MAC is assigned by an authority

In response to the previous comments, the first half of the MAC address is assigned by an authority to hardware manufacturers. There is also a bit in the first half which designates the MAC address as locally assigned or globally assigned. Beyond this, pretty much all cards will allow you the change the MAC address (Hence the local vs globally assigned numbers). This is not an invasion of privacy, since no one can track the specific MAC address to a particular person. * The invasion of privacy is when this part of the IPv6 address is used to track an individual, which is much more effective then tracking IP's, as they are usually dynamicaly assigned *

It already is a changeable field

This is yet-another clueless columnist trying to spark a controversy.

I've read all the IPv6 RFCs, they're very well thought out. The use of an EUI-64 is merely one possible way to compose an address. The idea is just to get something that will be unique on your subnet. You could even randomly pick a 64 bit number and let IPv6's Duplicate Address Detection functionality catch any collisions.

There are numerous other inaccuracies in this article as well, but I doubt anyone cares enough to make it worthwhile for me to bother listing them all. Suffice it to say that he's just rabble-rousing. There's nothing to worry about here.

Why IPv6 security issues doesn't matter

[Porky+Pig]

In the environment where you cannot change your
MAC address (like a cable modem), mostly likely
you can't change your IP address as well. In the
environment you can fiddle with your IP address,
you can replace your hardwired MAC address with
'soft' arbitrary MAC address. This MAC address
must be unique within your broadcast domain, but
that's about it.

The whole issue is nothing but lots of fluff.
Bill Frezza has no clue. I don't really
care about IPv6 in general, but - hell, this
particular issue is not the issue at all.

If I send something in open, I use my IP address
anyway. It is in DNS. It is mapped to my machine,
with my name as a part of the machine. However
when I have to hide, I'll go to extra efforts to
hide my origin. Well, so I'll replace my
hardwired MAC address with something else. Big
deal.

Re:WTF?

[Shanep]

I have come across cards that feature the option of a custom MAC address. Some Intel and DEC cards for eg.

My D-Link DFE500TX allows the changing of the MAC in the Windows 95 NIC properties!

In MS-DOG it can be done in protocol.ini for the cards I've seen also.

So why not in Linux?

pIII labels, MAC addresses, and IPv4 address space

[goldfish]

The reason the use of the pIII CPU label bothered me was not that some insignificant number identifying my computer could be seen by someone, but rather, that a number so easily faked was being used for authentication. The use of the MAC address in an IPv6 address is nothing to do with authentication (although some twits might use it as such); rather it is a number that will help give a unique address on a subnet, to avoid DHCP like protocols.

If you've ever gone to a LAN gathering to find some idiot running WinGate or something similar has their own DHCP server running and is handing out useless IP addresses, you'll appreciate that idea.

The other issue with his article is that IPv6 is mostly to alleviate the IP address space shortage. The ``shortage'' is not even close to being a problem yet. CIDR, NAT and strict rules on obtaining IP addresses have seen to that. IPv6 provides QoS beyond what IPv4 can, and more importantly, helps the global routing tables. There are over 70,000 entries in global routing tables at the moment, due to poor aggregation of old classful IPv4 address space. The logical division of an IPv6 address forces aggregation, with the first 8 bits representing a Top Level Aggregator (TLA), and so on within them, such that the first 64 bits of an IPv6 address represent a network path, not just a node number.

And as for the conspiracy theories, well, how else was he to get people to read his article?

Re: My oops (eh, it's ok)

Misusing "hacker" libels some of the smartest people we have. Misusing "cracker" conflates vandals, terrorists, and thieves, and you'll have to pardon me for not giving a damn about any of them.

Why does any of this matter?

Who cares if someone knows your MAC address? It is a friggin number associated with your network card. In a lot of machines (Suns for example) you can just arbitrarily pick whatever numbers you want for your MAC address. Quit being paranoid people.

No gateway? I don't think so.

No gateway == no "Internet". You can talk to everyone else on your segment but if you're going to jump between segments you damned well better be using a gateway.. even if it is an ISP's terminal server.

Re:pIII labels, MAC addresses, and IPv4 address sp

CIDR is a Good Thing. NAT and miserly address assignments have helped keep us from running out quite yet, but they cause major problems themselves (for instance, some ISPs need to grow and can't get more addresses) and we'd be far better off without them.

And he's wrong to boot!

He says Institute for Information Sciences. I think he means Information Sciences Institute. They're the ones working with Microsoft Research on an IPv6 stack.

He also implies that ISI's work is DoD funded, when it's not (Microsoft is footing the bill, and from what I understand has also done the majority of the work), that's it's a reference implementation (there is no official "reference" IPv6 implementation annointed as such by the IETF), and that ISI (or government spooks) are trying to slip this into Windows 2000 (which is also not happening).

A better title for this article would be "Where's the Outrage Over Bad Reporting?".

Re:WTF?

As has been pointed out quite often, there's nothing "normal" about being unable to change a MAC stored on a NIC. Some ancient junk can't, but that's about it. And a network stack can almost always write a configurable MAC into outgoing packets (and answer ARP for it), disregarding the NIC's real MAC.

Re:Why? Some people are silly.

"They who can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
- Benjamin Franklin

I liked it.

We need knowledge (I cannot seem to get enough myself). But regardless if this is a privacy violation or not, we deserve to know and make our own chioces. This is what makes slashdot special. People can come together and debate and share knowledge. This is the best side of humanity. I want more people posting information about how to get around certain status quo meaasures.

*sigh* "As if..."

[Cramer]

As if every packet you ever send out cannot be traced back to your machine already? Yes, this would make that task so much simpler.

I will point out a massive technical inaccuracy and oversight... the MAC address is not "embedded in your hardware". Sun ethernet cards don't have MAC addresses anywhere on them -- it's generated based on the hostid of the machine (which is very easy to change in the PROM) _AND_ ifconfig supports SETTING the MAC address. It's certainly not etched into the silicon. In most cases, it's trivial to change the address stored in the card's EEPROM.

"Permanently." Are you certain of that? I don't know about every other network card on the planet, but I've never seen one with any carved stone on it.

Gee, maybe EFF and others aren't on the war path because this isn't a problem.

IMO, the author is being a bit of an alarmist here. Why is it people always foam at the mouth about "internet privacy" when they already leave enough of a paper trail for a hamster to track them from another planet? How many credit cards do you have? Do you have a social security number? Do you own a car? (Look at the bottom of your Mountain Dew can some time.)

The author is wrong about IPv6

There is no requirement that the lower 64 bits of an IPv6 address be your EUI-64. It's merely one possible method of generating an address. This columnist should do some research before he writes.