[LINK] Fwd: Expert Panel: The Seven Stages of IPv6 Adoption

Kim Holburn kim at holburn.net
Fri Mar 27 19:05:07 AEDT 2009 

On 2009/Mar/26, at 12:40 PM, Karl Auer wrote:

> On Thu, 2009-03-26 at 09:57 +0100, Kim Holburn wrote:

Actually I didn't write that paragraph.  Funny though it was.  Is  
there something wrong with my email client?

>> On 2009/Mar/26, at 9:30 AM, Rick Welykochy wrote:
>>> If Microsoft adopted IPv6 as an experiment
>
> done
>
>>> , then a beta,
>
> done
>
>>> then a duplicate service alongside IPv4
>
> done
>
>>> and finally as solely IPv6
>
> not practical, not even for Microsoft. Dual stack will be around for a
> while yet.
>
>> My understanding is that the three main end device OS's: Windows,
>> MacOS and Linux all do IPv6 and have done for a while.
>
> Even more importantly, so does the main carrier equipment, Cisco et  
> al.
>
>>  It's the
>> consumer edge devices and the ISPs that are the main issues.  I could
>> be completely wrong about that.
>
> That's pretty much right, at least in the low-end home/soho/consumer
> world. Not the same drivers for the corporate and government users
> though.
>
> However, consumer and SOHO can have IPv6 right now via at least four
> different forms of tunnelling - static, 6to4, Teredo and TSP. The  
> first
> is very difficult for the average non-tech to set up and generally
> require static IP addresses, the second and third are mostly automatic
> but have poor performance (usually - depends where the "local" server
> is), TSP is the most powerful and is relatively easy to set up,
> especially for Windows.

So we have difficult or slow.  Enticing that is.

I have noticed too that having IPv6 enabled on desktop boxes tends to  
make them run quite a bit slower than without IPv6.  ie it's best to  
disable it unless you're using it to connect to or via an IPv6 network.

>> If for instance you discover the IPv6 address of the PM or the POTUS
>> then anyone in the world might get to know that.  It's a privacy  
>> worry.
>
> It's a bit of a fallacy that our current IPv4 addresses are somehow
> private. It's a very fair bet that any home user's address is in one  
> of
> a few common RFC1918 ranges like 192.168.1.0/24. Locating the public
> address fronting a home/SOHO NAT box is pretty easy. Any connection  
> any
> iside machine makes to the outside world gives it away. Receive an  
> email
> from someone and the chances are good that you'll see their IP address
> in the Received: headers. This is the relevant header from your email,
> for example:
>
> Received: from [192.168.2.3] (84.220.248.163) by jack.mail.tiscali.it
> (8.0.022) id 499F036C013DACB5 for link at anu.edu.au; Thu, 26 Mar 2009
> 09:57:33 +0100
>
> Mail servers can rewrite stuff, but there's a pretty good chance that
> your PC still has the address 192.168.2.3, and that the outside  
> address
> on your ADSL or cable router is still 84.220.248.163. Certainly it
> reverse resolves to what looks a lot like the name of a dynamically
> allocated address:
>
>   host-84-220-248-163.cust-adsl.tiscali.it.
>
> Both those addresses are likely to be relatively long-lived -  
> certainly
> many minutes, and in most cases hours or even days. Plenty of time to
> investigate them thoroughly.

While you can reasonably trust the public IP ie the ISP in this case,  
although investigating would require the consent of the ISP or the  
power of the regional government, (and in some cases ISP records have  
been found to be just plain wrong) all bets are off inside the private  
network, it has plausible deniability and no personal info leaked.  An  
IPv6 address on the other hand is somewhat more like a fingerprint and  
wouldn't even need the consent of the ISP, it'd be there in the  
headers.  Privacy leaked without even trying.

> Corporate and government networks are
> generally much more stable than that.
>
> You can be more private in a public IPv6 subnet (if you really want to
> be) than is possible in IPv4 at all. Take a new address every second,
> it'll be 500 billion years before you ever need to reuse an address.  
> And
> good luck trying to scan for them!

The IPv4 private address ranges would be big enough to do that if you  
wanted to and behind a NAT firewall you really could use any IPv4  
address you wanted to (as long as you didn't want to talk to the real  
one).

> So no, not a privacy issue. Or at least no more than with IPv4, and
> probably a great deal less.


I see your point but don't really agree.  In a home network it would  
be possible to fingerprint actual devices except of course for the  
possibility of IPv6 spoofing and I'm not sure I know enough to say if  
that's possible.

-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list