Slashdot Mirror
Where's All The Outrage About The IPv6 Privacy?
SyntheticTruth writes "It seems the specs for the IPv6 standard use the 48-bit NIC address as part of the unique IP address, which can be used to trace packets back to the user's computer. " The story is asking why people
don't seem to care about something which is gonna certainly raise privacy concerns.
MAC addresses are handed out by the IEEE. They will give you a block of 24 bits of address space for around US$1500.
;)
Like IP addresses there is an area in the address space set aside for private use. It is possible, if not entirely sane, to reconfigure an entire LAN... Don't laugh, I've heard of people doing this! I can't remember the rules off hand though...
Modifying MAC addresses is really simple not matter what age of NIC you have. Most NICs store their MAC address in a small lump of EEPROM on older cards this is just plain old PROM.
When a driver starts up it gets the ethernet address from the PROM and loads it into a set of station address registers in the NIC. There is no obligation for the driver to load the address it gets from EEPROM or even for there to be an EEPROM! This feature is regularly exploited by embedded systems with ethernet which store the MAC address in FLASH or some other multi-use NV storage to save money.
What I'm getting at is that it would be really, really easy(if Linux doen't do it already) to allow users to specify a new ethernet MAC address if they felt paranoid. Given the ratio of address space to LAN size you could even produce random MAC addresses at startup if you were paranoid enough.... Of course there are smarter mechanisms for doing this as other posters have pointed out.
If anyone has a burning desire to have a very small amount of official ethernet address space then drop me a line and I'll see what I can do (HW manufacturers only!)
Yes, they do, which is wrong -- what happens when you have multiple network cards in a machine? The answer is that Sun violates the standards, and has a MAC address per machine rather than per card...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
However, since you can't really modify MACs, it could be as evidence in court to show who you are.
AFAIK you can modify the MAC on your ethernet card just by fiddling around with some jumpers..
makes doubleclick's job easier i guess
1. Linux and BSD gurus know this will all be easily spoofed. That plus multi-homing (multiple IP addresses on a single physical NIC) tends to mitigate fears.
2. Windozers and Mac-heads don't know or care about the nitty gritty. Just insert AOL disk here...
3. By the time IPv6 gets widely implemented on client machines we will all be part of the Borg collective anyway....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
as has been pointed out, with most modern NICs, you *can* modifiy your MAC address. there isn't much point in it (replace one arbitrary number with another), but if you're paranoid enough you might want to automate the system to pick a new random one at every boot, or something like that.
All this does is tie a number that is meaningless to the rest of the world to your IP address. Your IP address already exposes you far more than your MAC address would. The only exception I can see off the top of my head are people who trust a proxy/firewall to protect their identities.
--
Modems don't have MAC(/ARP?) addresses anyhow
MAC addresses are easy to spoof (example, my cable modem service is tied to the MAC address for the pci nic in my win98 box, because thats what the set it up on, but my linux fw box doesn't have a pci slot, so i just made it think that its outside nic had the same MAC address as the pci nic, it works great.
They don't care because they don't know, this is probably the most likely one.
Need a Catering Connection
The reason why this hasn't been that huge of a deal yet is because most people don't always view that as information as part of the address, or because most people didn't know.
I, for one, don't see how such information is going to help route packets that much. Other than allowing EVERY ETHERNIC ON EARTH TO BE ON THE SAME SUBNET. Do we really need this? There really isn't a purpose to that.
Secondly, people only get really angry when they see something in use. Like the P3 security thing people knew about beforehand but didn't get pissed about till afterwards. Same thing with the win98 big brother thing.
Of course we could all take the view of Scott McNealy and just realize we have no privacy. I can take your names or email addresses and go buy tons of information from experian for 10 cents a head. I'd probably be more worried about that.
Besides, just get multiple nics then. You could easily just do something with the one nic, go buy a new one and voila, your info has changed and you can deny you ever had the old one.
My Slashdot account is old enough to drink...
Sometimes I wonder about the level of hysteria that the slashdot community raises over issues like this.
I agree privacy must be protected but that is why IPv6 has end-to-end encryption and connection authentication built in to prevent spoofing and eaves dropping.
As stated by someone earlier, the reason IPv6 was developed in the first place was to address a address space problem. They have basically blown the problem away by using 128-bit addresses and in the process, greatly simplified network configuration by allowing network cards to be routed automatically.
The major issues I have with privacy over the internet are to do with data integrity and eaves dropping, not to do with identity. With conventional IPv4 addresses you can be traced back to at the very least the local network you came from. A unique number such as this isn't a means to track everybody, its a means to simplify routing configuration. For dialup lines I would imagine this address space would contain some other number making it just the same as tracking down a particular user as it is today.
The IETF is doing a great job and has put much more thought into this than most (probabily all) of you have and they deserve some credit, not the blatent disaproval that slashdotters tend to be giving in increasingly larger doses.
Uhm...Unless I don't remember TCP/IP correctly w/o ICMP you can't open any TCP connection.
-matt
um i don't think dialup users have MAC addresses?
Well, the AC reply got moderated down but it is actually correct. Part of the reason for the first half of the IP V6 address is to simplify routing tables in the backbone routers. I believe the first part can effectively be used as a network number and can be used to provide route aggregation mechanisms.
Also, MAC addresses are unique for a particular medium (i.e. Ethernet). I'm not sure if that's guaranteed across different mediums, i.e. Ethernet vs. Token Ring vs. FDDI (even though you can do layer 2 bridging between these mediums). I haven't looked into what's used as a MAC address equivalent in the various IP over ATM implementations or Cellular IP services, but, if they are a 64-bit value, I doubt that they are guaranteed to not conflict with Ethernet MAC addresses. So yes, you could easily have more IPs than ETHERNET MAC adresses.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
Not really. The routers will no doubt just be ignoring the lower bytes (like current netmasks) - and by the time it gets to your gateway they'll still be ignoring the part with the "MAC address".
In fact, it should be trivial to hack a linux IPv6 stack so every TCP connection gets a unique bogus MAC address. Then the snoopers can just whistle for their info, while the IPv6 cookie-replacers can watch their databases expand without limit. B-)
With significantly more work you could stretch the API to let the client program specify the fake MAC address it wants to present, so your browser could maintain an identity to use when you REALLY wanted to accept an un-cookie.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If your machine's MAC address is attached to every packet, that follows you regardless of routing information or even your ISP. This is truly in a different league.
--
Deja Moo: The feeling that
Time is Nature's way of keeping everything from happening at once... the bitch.
You can give a MAC address as a parameter to ifconfig(8).
Linux should allow you to change your MAC address even if your NIC was not designed to allow it.
On cards that don't support changing the address, Linux puts the card in promiscuous mode, drops incoming frames not addressed to the particular MAC, and spoofs the MAC on outgoing frames. Quite a neat solution.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
How is this any different from static IP's assigned by DSL and cable modem services? All the FBI needs to do in the least is go to your ISP and say, "We'd like to know who this person is."
It's FAR easier to track somebody today using existing static IP addresses than it would be if some vendors took the *recommendation* that MAC addresses be used as link identifiers for ethernet-based links in IPv6 addresses.
Regarding your assertion that ISP's can be "anonymous" in this nature, this would be difficult in the US. They'd be doing so with the intent of keeping evidence from lawful organizations. It is also in any ISP's best interest to keep logs. If an attack is launched from one of your anonymous ISP's dynamic addresses and the ISP cannot show that it was, the ISP is in a bit of trouble.
Not good business.
Just to set the record straight about what is reality from someone who has written an IPv6 stack. (Trumpet Winsock 5.0)
Firstly, IPv6 can actually aid your privacy in that it is now technically possible for you to *choose* your IP address provided you reset the globally unique bit, and use the duplicate address detection mechanism to make sure your traffic will work. The only time duplicates become a problem is when the same address exists in the scope of the network where it matters. i.e. your subnet for an ethernet connection, or the PPP link when you are using dialup.
It would be technically possibly for you to dynamically change the lower 64 bits of your IPv6 address during the life of your connection to the internet be that ethernet or PPP. There is one proviso in that it is not currently feasible to modify your address for active TCP/UDP connections, so you would need to close all active connections to lose all trace of your older address.
Given the active discussion that this topic has generated, I am now keen to add a feature to our stack which would build a random EIU64 address each time the interface is opened. This feature is already in place for PPP connections, and I could also add a button which would force a new address to be built on all interfaces. Of course to pick up the new address, all connections would need to be broken, but it would be a simple matter for the stack to continue using both addresses until the original address is fully deprecated. IPv6 is powerful enough to use as many addresses as you like from your internet node. That is the beauty of stateless autoconfiguration and neighbor discovery.
I suggest that slashdotters go and read the relevant RFCs *and* Internet Drafts in some detail, and they will realize how powerful IPv6 is and how it will solve many of the issues facing the immediate future of the Internet.
A good place to start is
http://playground.sun.com/pu b/ipng/html/ipng-main.html
Using the network card MAC address as part of the IPv6 address is only one way of setting up the global IPv6 addresses (it's unmanaged autoconfiguration used by rtadvd). Alternatives are manual configuration or using DHCP with IPv6 extension.
-- Jochen
Ip's can be traced back to the machine as well, so i dont see what's the big deal... -Jagga Dakku
I'm no more worried about my MAC address being in a network packet than my IPv4 address. Heck, I could change my MAC address easier than changing my IP - I sure can't change the IP of my PowerMac at the office, and changing my static IP at home would entail pleading to my ISP, but Ethernet cards are cheap.
The author needs a clue.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
This would require an internal audit trail. Destroying this trail in response to a subpoena would be illegal. In order to survive, any "anonymous" ISP MUST do some sort of logging and auditing. Think of this scenario:
- ScriptKiddie signs up to AnonISP, begins smurfing FBI.gov.
- While smurfs are on-going (ScriptKiddie still connected), FBI knocks on AnonISP's door and asks for all information about the person doing the smurfing.
AnonISP, having connection details available to them (even without logs), would be obligated to turn over that information.- ScriptKiddie smurfs CorpX.com.
- CorpX.com complains, AnonISP cancels ScriptKiddie's account ("And don't come back!")
- ScriptKiddie signs up again as PaketKiddie (you have no logs with which to prove he is the same person)
- PaketKiddie smurfs CorpX.com.
- CorpX.com instructs uplinks to block all traffic from AnonISP.
- (repeat)
- AnonISP, now blocked from the majority of conscientous ISP's, turns into a packet kiddie playground and goes out of business.
Comments?However, there was a case a couple years ago of a hacker in Brazil (I think), who hacked Harvard and a couple other places. They caught him by setting up some kind of 'intelligent' program that recognized and filtered his keystroke/traffic from everyone elses on a router, or backbone, or something to that effect.
This was done with Harvard's (obvious) consent. As it would then be a privately owned network (not given "common carrier" status awarded to our lovely telephone networks), it would not be considered to be any form of privacy invasion (legally).
You're only awarded protections against unauthorized searches/wiretaps when it comes to public networks. Your ISP/private university can choose to let the FBI see whatever they want. (At least that's how I understand things.)
Given the batch, they can link to a shipment (eg: to a specific store) and so on. The store can then link this to a credit card (or a range of credit card) sale...and on to the user(s).
Not quite. At best, the store would be able to say, "Any one of the people that bought one of these cards between dates X and Y would have a NIC with the MAC address you specify."
Purchases aren't tracked by serial number.
If I recall from reading the spec a while ago.. using MAC's is just one suggested method of providing ip's in the IPV6 world. Considering that you can, in a number of cases, change your devices MAC address, it hardly seems like a issue anyways. Lord_Rion
--Hired Net Grunt
So... what am I missing?
--
Deja Moo: The feeling that
Time is Nature's way of keeping everything from happening at once... the bitch.
If you have an ip address of somebody, there are ALREADY better ways to trace it than bothering to try and track down their ethernet card (and many computers don't even use ethernet cards anyhow).
If you want to be anonymous, you would be much better off with mixmaster remailers (for anonymous email), anonymizer.com (for web surfing) and various anonymizing telnet services. In other words, a trusted third party to strip off identification for you.
--
grappler
Vidi, Vici, Veni
Frankly this is not very interesting, and not all that worrisome as explained by most other people who have already posted, so I won't go into the details again.
However, this article makes me think that the guy who's job to write stuff on privacy issues on the net came up empty in the actual real security issues department and said, hey I can still write an article about why people aren't worried about an issue...in other words writing about privacy on a non privacy issue.
He says that the EFF among others has not responded to this latest "privacy threat", perhaps he should have thought for a moment and realized...they aren't responding because there is nothing to respond to.
The MAC address being part of the IPv6 address is NOT mandatory. It may just be used for autosetup (just like the MAC address being part of an IPX address, as well). It is never used for routing or address resolutions anywhere. Neighbor solicitation and neighbor advertisements do the resolution in the local network and take over the rule or ARP from IPv4.
-- Jochen
And I'm one of the biggest privacy freaks you will ever come across.
:-) (the rest of us are still fighting, but mostly the good fights)
Read the spec, and understand what that part of the IPv6 address is for. Then you will realise it is not a big bad privacy violation.
The MAC address section of IPv6 is used mostly for locally addressable destinations. It makes an easier job for routers to figure out whether to route the packet.
It is stripped off (or obfuscated) by a router when sending packets out into the big bad internet. Of course, your implementation of a routing process may vary, but other routers would strip it out as meaningless (i.e. the first cisco router).
the AC
And besides, YOU don't have any privacy, get over it!
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
To play devil's advocate for a moment, consider the benefits from allowing packets to be uniquely identified. 0) Firstly, I'm not at all sure that this is accurate. In theory, the client has complete control over its outgoing packets. I don't see why this couldn't be wiped to zero on outgoing packets. It would be a simple app, tho it would introduce some overhead into TCP/IP. 1) If the data section of the packet is being handled by SSL, unique IDs cannot harm you. This is because knowing the originator of the packet is meaningless unless you know what they are saying. The most information a snoop could glean would be that X is talking to Y at time Z. 2) packet spoofing would be far more difficult. Consider all the cracking cases in the last few weeks that implicated a national governmental body, probably falsely. First there was the "Department of Defense" breaking into the Australian stock Xchange, then the "Russians" breaking into the Department of Defense. A few months ago didn't the "CIA" break into something in France. Almost certainly spoofed. 3) PoD and DoS would become vulnerable to intelligent routers. Cisco I know tears its hair out over the susceptibility of its routers to denial of service attacks. But if all the packets bore the same GUID, it would be simple to filter them. 4) If you're super-paranoid, just have more than one ethernet card. That's where they're drawing out these GUID's you know, from your hardware signature. Microsoft does the same thing with the in-house GUID Gen program. 5) plus many more good reasons... :P
-konstant
-konstant
Yes! We are all individuals! I'm not!
In any case, the article, while obviously inflammatory, is backed up by very little actual fact. The author didn't bother to actually *call up* any of those 'professional privacy advocates' and ask them himself why this wasn't an issue (in other words, didn't do any real journalism) -- he just whined and complained that the people *who with very little pay occupy themselves with protecting _his_ privacy* thought they knew better than he about the implications of IPv6. And WTF:
That's quite a statement to make unsubstantiated. Very poor journalism. And: Eh? Since when was "heavily funded by the Defense Department" an automatic stamp of badness? Does this guy realize that close to 90% of *all* the academic research in this (American) country is one way or another "funded by the Defense Department"? Heck, *I'm* funded by the defense department. The whole *Internet* was started by and remains to some extent funded by the Defense Department. This is just lazy scare-mongering by some guy who considers his opinions too obviously important to merit support with real facts.If this guy is serious, he ought to research and back up his claims. Lacking any evidence to the contrary, I'd just as soon agree with the poster directly above, who claims that this NIC ID doesn't make it past the first router and so doesn't matter. That seems far more likely than the worldwide conspiracy that Bill Frezza would have us believe. If Bill can make a better argument, I'll go over to the standards and check for myself, but he has very little credibility in my book at this point.
[
More importantly, the IPv6 spec suggests (not mandates) the use of the 48-bit mac address for use as part of a local-use address. The local-use address as defined has only local routability scope - it will not trickle out onto the greater Internet. This was designed to provide an easy bootstrapping mechanism, and for non-Internet connected sites to configure their computers easily. However, the use of the 48-bit mac address is completely optional; it's not an automatically assigned address.
Third, people who connect to the Internet via a DSL or modem connection don't need to worry. In the DSL case, their IP address is the IP address of the DSL modem. Since their IP address is provider assigned, and their DSL modem is provider assigned, there's no difference! A user who dials up via a modem will have an IP address assigned by their provider, just like they do now, and it will have no correlation to the hardware address of anything they own.
For more infromation, Robert M. Hinden has a great article, "IP Next Generation Overview". Alternately, the story posted in the Times a few weeks ago provided a cogent introduction to the reality, not the hype, of IPv6. If you're an RFC type, check out:
Interesting points, but I'm not sure about the TTL one..
i mean what IDIOT makes a protocol with 128 bit address scheme and keeps TTL field of 8 bit (which makes maximal TTL be 256).
Assume that each physical network has 8 links to it. Every time the size of the network increases eightfold, the maximum TTL needed to use all of that network goes up by one. Addresses run out MUCH faster than TTL's, as the network grows. Sure, there is going to be a lot of variation in size of subnets, but on the whole the net is much more broadly connected than it is deeply connected.
Both TTL and address bits required grow logarithmically with the number of nodes, but TTL has a much higher base to that log.
Trees can't go dancing
So do them a big favor
Pretend dancing stinks!
(In other words, if you move, your ISP moves, their ISP moves, etc, right up to the backbone itself, you are GUARANTEED a new, unique IP address. You are ALSO GUARANTEED that your old IP address will remain valid, and pointing to you, for a transition period.)
(This is not trivial. Not only does this require that your IP address is unique, when you connect, but that you are given a unique address, should you move, whilst still connected, AND that anyone connecting or moving over to your old ISP at the time you're transitioning will ALSO gain a unique IP address. In other words, they can't be assigned your old address, and you can't be assigned their old address, because that violates the uniqueness during the transition period.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If I remember right, the IPv6 spec also includes the capability to assign a portion of the address based on MAC and location(?). Or something to that effect (I could be totally off-base here, I saw a talk about IPv6 that discussed it in that way). Basically the idea being that it makes it much easier for packet to find you and for your packets to route as quick as possible to their destination.
IPv6 is trying to address the problem of "dumb" packets that get shoved willy-nilly through routers as they are shuttled from one place to the next in search of their destination. IPv6 is supposed to provide a "smarter" packet that allows it to take the shortest possible (and quickest) route to/from a destination. All of this being done on a location basis. The MAC address, I believe, is used as a unique identifier to help keep addresses unique.
I noticed a post that stated that there is no "database" for MAC addresses. I don't know if totally believe this. Every manufacturer produces a unique address for each card produced, thus guarenteeing that no repition will occur, especially since routers and switches cache and use the info heavily. So, how do they know who is making what MAC address? Also, a MAC address maybe easy to change, but how many users know how to do that?
I am very concerned about privacy in IPv6. It seems like one big, global user tracking system to me.
my $0.02,
colin.stefani
Compliments of the linux.com tuning guide :
On a related note, you can also have your card use a different MAC address
ifconfig eth1 hw ether deadbeef0001
(this needs do be done while the card is down for obvious reasons)
now your card will answer all arp requests with DE:AD:BE:EF:00:01.
Note:
The kernel performs this trick on most cards by setting the card into promiscous mode and using software to filter out all MACs that
aren't yours which stands to reason it would be slightly slower than just using your real MAC.
I've read the RFCs, and there was no outrage on my part. I've sniffed v6 packets off of ethernet and from frame relay and ATM, with nothing triggering any moral alarms.
The field can be anything, it exists so that a bunch of machines plugged into a hub without a router can route packets to each other. It is also there so a router can make some fast decisions about what needs routing, and what is local.
The EUI field can also contain IPv4 addresses, Novell IPX addresses, OSI NSAP, etc. So anything can be put there, and as long as the u/l bit is switched to local, nobody cares. It is the local router who has to decide how to deal with incoming packets.
the AC
read RFCs 2460 to 2473, and especially 2373. Worry less, read more.
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Since I'm stuck on a win machine, I went to look. Both on 95 and NT.
:-) There are lots of how-to for dummies cheat sheets going around for cable subscribers.
In the network control panel, select the card driver, then properties.
Go to the advanced tab, in properties there should be a Network Address. Change it from Not Present to Value, and enter a valid 12 character string, with no colons or dots or spaces.
I think you have to reboot after that. I know this is becoming wider spread because home users on cable systems find they are tied to their original MAC address, and when they swap machines the internet stops working
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
I agree entirely. I can't see what facts this author is basing his drivel on, as we've been able to use 'arp' to dump machines' IP# MAC address correlations for a while...
I also heard that IPv6 was going to be end-to-end encrypted, too - that wins big in my book any day.
~Tim
--
Rushing on down to the circle of the turn
The IPv6 spec SUGGESTS that the MAC address be used as an interface/link identifier (which must be unique). It's quite possible that this address would be reconfigured to something else in very short order. By setting the IPv6 address immediately with a known unique value, you have an instant (even if temporary) address with which to request a proper one.
OBVIOUSLY not every network interface has a MAC address (such as serial links and tunnels). For those types of situations, some other pseudorandom number should be just as effective, so long as it doesn't conflict with somebody else on the LOCAL subnet (the interface ID only makes up *part* of the address, remember). In the case of dialup links, the address class we're talking about here probably won't even be needed to be figured in advance -- it could be negotiated as part of the PPP process.
There is no privacy issue here. There are no evil NIC manufacturers in cahoots with the vendors to build a global database of all MAC addresses and your identity and buying habits.
Quite frankly, I am rather EMBARRASSED by the number of Slashdot posters who regularly post crap like this on threads. They make NO effort whatsoever to independently verify anything they start violently complaining about. They just assume that the BIASED take they just read was ABSOLUTE, 100% accurate and researched TRUTH.
THIS IS NEVER THE CASE.
Did you ever stop to think that maybe there's no outrage over IPv6's MAC recommendation because THERE WAS NO REASON TO BE OUTRAGED?
A bit of light reading for those that want to talk in an intelligent manner (in other words, no idiotic paranoid conspiracy theories):
- RFC2373 - IP Version 6 Addressing Architecture (esp. section 2.5, 2.5.1 and Appendix A)
- RFC2460 - Internet Protocol, Version 6 (IPv6) Specification
- RFC2374 - An IPv6 Aggregatable Global Unicast Address Format
PLEASE PLEASE PLEASE FOR GOD'S SAKE THINK AND RESEARCH BEFORE YOU POST.I really don't see this as a usurping of my freedom. Maybe I'm just not paranoid enough.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
This is not an outrage. This is not even invasive. Hell, you can change your MAC address most of the time. If you're worried someone will find it easier to catch you DoSsing others on the Internet, well, that's your problem.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
It sounds like the journalist or one of his good friends or family has been screwed by the address allocation policies of ARIN (and previously the InterNIC). I can understand his hate. I'm losing customers now, because I can't get more addresses. I lost a customer in August that would have had 40 offices connected to me via frame relay, because it took me over 6 months to get enough addresses freed-up to handle their machines. MIT and CMU have 16 million addresses each, and I can't get another address so I can connect another dedicated customer or another dialup port. @Home got 24/8, and they only have a couple of thousand customers at the time. His claims are unsubstantiated, but the frustration and hard feelings aren't. Even after writting a $5,000 check to ARIN for a /20, I still don't have one. That's more than I pay myself! ARIN claims they won't assign it because I don't need it. I'm using a /22 from MCI and 4 /23's from another provider. I qualify. I've spend almost 50 hours a week renumbering equipment over the past two years, because I'm having to reclaim blocks. Yesterday, I moved a customer with 29 computers from a 64 address block down to a 32 to free-up half of a class C for a new customer. When my old customer adds two more computers, I'm going to have to renumber them again. It's killing me. Rather than working on finishing my OpenSource ISP billing software, I'm forced to drive-out to customer sites, change router configs, and help change machines (or a single DHCP server, if I'm lucky). It's yet another case, how large businesses use their position and cash to screw-out their smaller competition. And, you complained that the journalist needs to back himself up...
Hell, wasting even a few trillion addresses wouldn't mean squat.
Once we start giving a few hundred billion IPs away in every cereal box or package of sports trading cards, I'll be slightly worried.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Then try: /proc/net/arp
cat
Of course, this will only show hardware addresses on your subnet, not of everyone you send and recieve backets from, but oh, well.
I'm MORE disapointed that all the replies on slashdot show they underestand EVEN LESS ABOUT IPv6 Here's the issue: A host's IPv6 address will be 128-bits long. the last 48 bits are going to be the same as their Ethernet ("MAC") address.
Therefore, if I plug my laptop in at work, it will have one address, and if I plug my laptop in at a Internet Cafe, it will get a different address. However, the last 48 bits of both addresses will be the same.
Someone had the mistaken impression that the entire IPv6 address would stay the same no matter what. That's not true. That would make routing very difficult.
Someone else pointed out that the Ethernet "MAC" address of a host can be changed in software. Yes, that is true for newer NICs. However, the average user will not know how to do that.
So, the big issue is that other people will be able to trace a computer as it moves from network to network. In IPv4 one could trace an IP address back to a particular ISP or company... but then you had to rely on the local admins to break any confidentiality to get to the exact machine.
With IPv6 if you catalog the last 48 bits of all the hosts that connect to you, you will eventually be able to coorelate where hosts are moving.
Is this a requirement of IPv6? Not really. This was done to make host configuration without DHCP possible. (There is a DHCPv6, but it only adds features to the native host configuration "AutoConfig" stuff built into IPv6). A IPv6 stack could choose to pick random numbers instead of using MAC addresses. It would just be a simple matter of programming.
Oh, there is one more point I'd like to debunk. That IPv6 development is U.S. Department of Defense funded. Well, they fund a little of everything, so don't get all worried. Heck, they funded the original IPv1 thru IPv4 development too. So deal.
In response to the previous comments, the first half of the MAC address is assigned by an authority to hardware manufacturers. There is also a bit in the first half which designates the MAC address as locally assigned or globally assigned. Beyond this, pretty much all cards will allow you the change the MAC address (Hence the local vs globally assigned numbers). This is not an invasion of privacy, since no one can track the specific MAC address to a particular person. * The invasion of privacy is when this part of the IPv6 address is used to track an individual, which is much more effective then tracking IP's, as they are usually dynamicaly assigned *
As if every packet you ever send out cannot be traced back to your machine already? Yes, this would make that task so much simpler.
I will point out a massive technical inaccuracy and oversight... the MAC address is not "embedded in your hardware". Sun ethernet cards don't have MAC addresses anywhere on them -- it's generated based on the hostid of the machine (which is very easy to change in the PROM) _AND_ ifconfig supports SETTING the MAC address. It's certainly not etched into the silicon. In most cases, it's trivial to change the address stored in the card's EEPROM.
"Permanently." Are you certain of that? I don't know about every other network card on the planet, but I've never seen one with any carved stone on it.
Gee, maybe EFF and others aren't on the war path because this isn't a problem.
IMO, the author is being a bit of an alarmist here. Why is it people always foam at the mouth about "internet privacy" when they already leave enough of a paper trail for a hamster to track them from another planet? How many credit cards do you have? Do you have a social security number? Do you own a car? (Look at the bottom of your Mountain Dew can some time.)
There is no requirement that the lower 64 bits of an IPv6 address be your EUI-64. It's merely one possible method of generating an address. This columnist should do some research before he writes.