Where's All The Outrage About The IPv6 Privacy?

SyntheticTruth writes "It seems the specs for the IPv6 standard use the 48-bit NIC address as part of the unique IP address, which can be used to trace packets back to the user's computer. " The story is asking why people don't seem to care about something which is gonna certainly raise privacy concerns.

So what?

[Overt+Coward]

A MAC address is no different in terms of privacy than an IP address. Either can be changed (though people with dynamic IP addresses change their IP address many times more often than they change MAC addresses, if ever). There is no central registry of MAC addresses.

All this does is tie a number that is meaningless to the rest of the world to your IP address. Your IP address already exposes you far more than your MAC address would. The only exception I can see off the top of my head are people who trust a proxy/firewall to protect their identities.

--

Re:So what?

[jonathanclark]

I thought I read that MAC addresses are centrally dispatched (by who?) in large blocks to card producers. So they only thing you could probably do is determine what company makes the ethernet card at the other end. There is no way the card companies could trace a particular card to you unless you bought it directly from them.

However, since you can't really modify MACs, it could be as evidence in court to show who you are. With IPs this is a little harder to do because of the dial-up banks and ISPs are not required by law to keep logs (right?) The use of proxies shouldn't be any different from v4 to v6 because the proxy is not going to reveal your MAC, only it's.

Read The RFCs

[jochen]

Using the network card MAC address as part of the IPv6 address is only one way of setting up the global IPv6 addresses (it's unmanaged autoconfiguration used by rtadvd). Alternatives are manual configuration or using DHCP with IPv6 extension.

-- Jochen

Oh, the horror!

[Mr.+Slippery]

Shock! Dismay! Embedded in my network address is...well, my network address. Duh.

I'm no more worried about my MAC address being in a network packet than my IPv4 address. Heck, I could change my MAC address easier than changing my IP - I sure can't change the IP of my PowerMac at the office, and changing my static IP at home would entail pleading to my ISP, but Ethernet cards are cheap.

The author needs a clue.

this guy obviously has a huge chip on his shoulder

[cananian]

...maybe the geeks picked on him for using windoze?

In any case, the article, while obviously inflammatory, is backed up by very little actual fact. The author didn't bother to actually *call up* any of those 'professional privacy advocates' and ask them himself why this wasn't an issue (in other words, didn't do any real journalism) -- he just whined and complained that the people *who with very little pay occupy themselves with protecting _his_ privacy* thought they knew better than he about the implications of IPv6. And WTF:

You would think that the 32-bit address field of IPv4, supporting more than 4 billion unique addresses, would be sufficient to last quite some time. Unfortunately, the cabal that controlled the disposition of these addresses had a habit of handing out large blocks to their friends, who parlayed these into start-ups with multibillion- dollar market caps. Hence, the "shortage."

That's quite a statement to make unsubstantiated. Very poor journalism. And:

The spooks and weirdos in Washington, ever eager to empower the surveillance state as they fight a rear-guard action against strong encryption, must be thrilled with such a gift. They appear so thrilled that the Institute for Information Sciences, heavily funded by the Defense Department, is writing a reference stack for IPv6 that it is quietly hoping to slip into Windows 2000.

Eh? Since when was "heavily funded by the Defense Department" an automatic stamp of badness? Does this guy realize that close to 90% of *all* the academic research in this (American) country is one way or another "funded by the Defense Department"? Heck, *I'm* funded by the defense department. The whole *Internet* was started by and remains to some extent funded by the Defense Department. This is just lazy scare-mongering by some guy who considers his opinions too obviously important to merit support with real facts.

If this guy is serious, he ought to research and back up his claims. Lacking any evidence to the contrary, I'd just as soon agree with the poster directly above, who claims that this NIC ID doesn't make it past the first router and so doesn't matter. That seems far more likely than the worldwide conspiracy that Bill Frezza would have us believe. If Bill can make a better argument, I'll go over to the standards and check for myself, but he has very little credibility in my book at this point.

More on IPv6 and address privacy

[angio]

The author of the "IPv6 Privacy Threat" article failed to consider a few things. As several people have already pointed out, MAC addresses are spoofable and changeable in many circumstances.

More importantly, the IPv6 spec suggests (not mandates) the use of the 48-bit mac address for use as part of a local-use address. The local-use address as defined has only local routability scope - it will not trickle out onto the greater Internet. This was designed to provide an easy bootstrapping mechanism, and for non-Internet connected sites to configure their computers easily. However, the use of the 48-bit mac address is completely optional; it's not an automatically assigned address.

Third, people who connect to the Internet via a DSL or modem connection don't need to worry. In the DSL case, their IP address is the IP address of the DSL modem. Since their IP address is provider assigned, and their DSL modem is provider assigned, there's no difference! A user who dials up via a modem will have an IP address assigned by their provider, just like they do now, and it will have no correlation to the hardware address of anything they own.

For more infromation, Robert M. Hinden has a great article, "IP Next Generation Overview". Alternately, the story posted in the Times a few weeks ago provided a cogent introduction to the reality, not the hype, of IPv6. If you're an RFC type, check out:

• aloni.com's IPv6 resources which include a fairly full list of the IPv6 RFCs.
• Or just look directly at RFC 1887, the IPv6 unicast address allocation document.

IPv6 and privacy

[jd]

Ok, let's take a look at this.

• IPv6 mandates that each port have a unique IP address, that that address be configured by the network in a unique way at the time of connection and any time the network changes, and that that address have a lifetime only marginally longer than the period of time that the topology higher up the heirarchy to that port remain the same.

  (In other words, if you move, your ISP moves, their ISP moves, etc, right up to the backbone itself, you are GUARANTEED a new, unique IP address. You are ALSO GUARANTEED that your old IP address will remain valid, and pointing to you, for a transition period.)

• IPv6 also mandates that IP number clashes should be impossible, irrespective of user activity or mobility, or network topology changes.

  (This is not trivial. Not only does this require that your IP address is unique, when you connect, but that you are given a unique address, should you move, whilst still connected, AND that anyone connecting or moving over to your old ISP at the time you're transitioning will ALSO gain a unique IP address. In other words, they can't be assigned your old address, and you can't be assigned their old address, because that violates the uniqueness during the transition period.)

• The use of the MAC address is an optional, but preferred, way to ensure this uniqueness. There are perfectly viable alternatives. Simply having the router assign a number out of a list wold work. It comes to the same thing, really.

• IPv6 has many more mechanisms for privacy (eg: IPSEC, non-spoofable routers, etc.) than IPv4. The use of the MAC address, even if you opt to use it, doesn't help anyone locate you, or find anything out about you.

• You can remotely ask for the MAC address of a number of devices, anyway, using good old IPv4. Only difference is that you can't restrict who asks.