[LINK] Fwd: Expert Panel: The Seven Stages of IPv6 Adoption

Karl Auer kauer at biplane.com.au
Fri Mar 27 20:04:59 AEDT 2009 

On Fri, 2009-03-27 at 09:05 +0100, Kim Holburn wrote:
> Actually I didn't write that paragraph.  Funny though it was.  Is  
> there something wrong with my email client?

Urk, sorry, maybe I misread the quote cascade.

> So we have difficult or slow.  Enticing that is.

TSP is not that hard (and is very simple for Windows users). It remains
the best all-round solution for now. Once set up, it is essentially
transparent - you just access v4 and v6 hosts without having to think
about it at all.[1]

> I have noticed too that having IPv6 enabled on desktop boxes tends to  
> make them run quite a bit slower than without IPv6.

Yep - turn off protocols you don't need.

> been found to be just plain wrong) all bets are off inside the private  
> network, it has plausible deniability and no personal info leaked.

No, it doesn't really have plausible deniability; it might be hard to
link the address to a particular computer if there were a lot of
computers in the internal network, but the more computers there are the
harder is is to hide one (it leaves traces everywhere) and of course if
there are few computers it's also no great trick to figure out which one
was used when. So data is most certainly "leaked", and is certainly not
"deniable". Though it is questionable whether it is personal data. By
the way, I note that your internal address is still 192.168.2.3 :-)

>   An  
> IPv6 address on the other hand is somewhat more like a fingerprint and  
> wouldn't even need the consent of the ISP, it'd be there in the  
> headers.  Privacy leaked without even trying.

Again - no more than with IPv4. I can explain this at greater length if
you wish. Your own internal address is right there in the headers of the
email I'm replying to now. I showed it to you. Twice. Do you feel
invaded?

> The IPv4 private address ranges would be big enough to do that if you  
> wanted to and behind a NAT firewall you really could use any IPv4  
> address you wanted to (as long as you didn't want to talk to the real  
> one).

No, not really. If you used a 10.0.0.0/8, you would run out of addresses
in about six months. That's quite a far cry from 500 billion years.

In practice, address-hopping doesn't make much sense for very short
periods. Nor does it make much sense unless you are one of a preferably
large number of people inside the same subnet, all doing the same thing.
If it's just your desktop at home, you won't fool anyone :-)

This is all a bit of a furphy though - we were talking about "leaking"
information, and my point is just that you "leak" no more with IPv6 than
with IPv4.

> I see your point but don't really agree.  In a home network it would  
> be possible to fingerprint actual devices except of course for the  
> possibility of IPv6 spoofing and I'm not sure I know enough to say if  
> that's possible.

We've been here before, haven't we? I distinctly recall having a loooong
discussion about this. The answer to your "fingerprinting" fears is as
simple as a three-line packet filter, emulating what a NAT router does
as a side-effect. Let anything out; let only established and related
packets back in. Since you don't need NAT with IPv6, you'll be as safe
as houses. Well, apart from the threats that the users on your own
network pose; they are still far more likely to do you harm than an
outsider, either directly or by falling for one of the multitude of
threats that don't care what address you have, like phishing, bad email
payloads, malware on portable media and so on.

Regards, K.

[1] Disclaimer: http://www.ipv6now.com.au/about.php

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF

More information about the Link mailing list