RE: ISP customer assignments

["TJ" <trejrco () gmail com>]

> On Mon, 05 Oct 2009 16:13:37 CDT, Dan White said:
>
> > a publicly routeable stateless auto configured address is no less
> > secure than a publicly routeable address assigned by DHCP. Security
> > is, and should be, handled by other means.
>
> The problem is user tracking and privacy.
>
> RFC4941's problem statement:
>
>   Addresses generated using stateless address autoconfiguration
>   [ADDRCONF] contain an embedded interface identifier, which remains
>   constant over time.  Anytime a fixed identifier is used in multiple
>   contexts, it becomes possible to correlate seemingly unrelated
>   activity using this identifier.
>
>   The correlation can be performed by
>
>   o  An attacker who is in the path between the node in question and
>      the peer(s) to which it is communicating, and who can view the
>      IPv6 addresses present in the datagrams.
>
>   o  An attacker who can access the communication logs of the peers
>      with which the node has communicated.
>
>   Since the identifier is embedded within the IPv6 address, which is a
>   fundamental requirement of communication, it cannot be easily hidden.
>   This document proposes a solution to this issue by generating
>   interface identifiers that vary over time.
>
>   Note that an attacker, who is on path, may be able to perform
>   significant correlation based on
>
>   o  The payload contents of the packets on the wire
>
>   o  The characteristics of the packets such as packet size and timing
>
>   Use of temporary addresses will not prevent such payload-based
>   correlation.
> (end quote)
>
> Or phrased differently - if I DCHP my laptop in a Starbuck's, on Comcast,
at
> work, at a hotel, and a few other places, you'll get a whole raft of
answers
> which will be very hard to cross-corrolate.  But if all those places did
> IPv6 autoconfig, the correlation would be easy, because my address would
always
> end in 215:c5ff:fec8:334e - and no other users should have those last 64
bits.
> Amazingly enough, some people think making it too easy to Big-Brother you
is a
> security issue...

Isn't this really a security by obscurity argument?  Making it a bit harder
for the attacker, relying on 'Eve' just not realizing who I am?

Most of those concerns are in fact mitigated by a well implemented Privacy
implementation ... and many of the remaining concerns do in fact apply to
IPv4.  Not to mention the 'higher layer' aspects.  

Bottom line - if you are doing something that warrants some level of privacy
or protection, you should do something to ensure that level of privacy or
protection - never assume you are private/secure by default.

/TJ