[LAC-TF] [LACNIC/Seguridad] Fwd: Re: macos Sierra with CGA address?

Jaime Olmos jaime at noc.udg.mx
Mon Dec 19 14:47:28 BRST 2016


Adjunto pruebas de los incisos 1 y 2:

1) As you disconnect and subsequently reconnect to the same network, the
    IPv6 address is formed with the same IID?

v6:~ olmos$ ifconfig en4
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
	ether ac:87:a3:11:5e:af 
	inet6 fe80::cf6:23d3:1fe6:60b5%en4 prefixlen 64 secured scopeid 0x5 
	inet6 2001:1210:100:15:10e6:bc50:9c11:874c prefixlen 64 autoconf secured 
	inet6 2001:1210:100:15:597d:40f6:38eb:7477 prefixlen 64 autoconf temporary 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (1000baseT <full-duplex,flow-control>)
	status: active
v6:~ olmos$ ifconfig en4
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
	ether ac:87:a3:11:5e:af 
	inet6 fe80::cf6:23d3:1fe6:60b5%en4 prefixlen 64 secured scopeid 0x5 
	inet6 2001:1210:100:15:10e6:bc50:9c11:874c prefixlen 64 autoconf secured 
	inet6 2001:1210:100:15:adec:7e65:11a3:4605 prefixlen 64 autoconf temporary 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (1000baseT <full-duplex,flow-control>)
	status: active
    

    2) When multiple IPv6 prefixes are advertised on the same network, each
    resulting address (for each different prefix) employs a different IID?

v6:~ olmos$ ifconfig en4
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>
	ether ac:87:a3:11:5e:af 
	inet6 fe80::cf6:23d3:1fe6:60b5%en4 prefixlen 64 secured scopeid 0x5 
	inet 148.202.15.40 netmask 0xffffff00 broadcast 148.202.15.255
	inet6 2001:1210:100:15:10e6:bc50:9c11:874c prefixlen 64 autoconf secured 
	inet6 2001:1210:100:15:adec:7e65:11a3:4605 prefixlen 64 autoconf temporary 
	inet6 2001:1210:100:15a:ec:df2c:f737:ee0c prefixlen 64 autoconf secured 
	inet6 2001:1210:100:15a:f1e6:720d:89d3:9da prefixlen 64 autoconf temporary 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (1000baseT <full-duplex,flow-control>)
	status: active    

    3) If multiple interfaces (NICs) are connected to the same subnet, each
    obtains a different address, plus "1)" and "2)" above are true?


 
Saludos,
Mtro. Jaime Olmos
Responsable del Centro de Operaciones de la Red – NOC-UDG
Coordinación General de Tecnologías de Información - CGTI
Universidad de Guadalajara
Av. Juárez No. 976, Edificio de la Rectoría General, Planta Baja.
(33)31342221  extensión 12327
http://www.ipv6.udg.mx

On 12/14/16, 5:30 PM, "Seguridad on behalf of Fernando Gont" <seguridad-bounces at lacnic.net on behalf of fgont at si6networks.com> wrote:

    Estimados,
    
    Alguno con MacOS Sierra puede cmprobar que:
    
    Can anyone verify that:
    
    1) As you disconnect and subsequently reconnect to the same network, the
    IPv6 address is formed with the same IID?
    
    2) When multiple IPv6 prefixes are advertised on the same network, each
    resulting address (for each different prefix) employs a different IID?
    
    3) If multiple interfaces (NICs) are connected to the same subnet, each
    obtains a different address, plus "1)" and "2)" above are true?
    
    
    
    P.S.: Parece que los muchachos de la manzanita habilitaron send como
    implementacion heavyweight the RFC7217... :-(
    
    Slds, y gracias!
    Fernando
    
    
    
    
    -------- Forwarded Message --------
    To: Tim Chown <Tim.Chown at jisc.ac.uk>, Jeroen Massar <jeroen at massar.ch>
    References: <f46f5f7b-70ba-35b6-06b6-b75f03dee460 at hznet.de>
    <e9ecb763-2e58-258b-6e3b-4e66b1bda629 at massar.ch>
    <2BAEFBF2-A68E-48E5-9D44-79EB64F2ACCA at jisc.ac.uk>
    Cc: ipv6-ops at lists.cluenet.de <ipv6-ops at lists.cluenet.de>
    From: Fernando Gont <fernando at gont.com.ar>
    Message-ID: <12b61a26-4097-68b6-4e0c-55a626ddde8b at gont.com.ar>
    Date: Wed, 14 Dec 2016 19:42:07 -0300
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
    Thunderbird/45.5.1
    MIME-Version: 1.0
    In-Reply-To: <2BAEFBF2-A68E-48E5-9D44-79EB64F2ACCA at jisc.ac.uk>
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 8bit
    
    On 12/14/2016 08:31 AM, Tim Chown wrote:
    > Hi,
    > 
    >> On 14 Dec 2016, at 11:08, Jeroen Massar <jeroen at massar.ch> wrote:
    >>
    >> On 2016-12-14 11:55, Holger Zuleger wrote:
    >>> Hi,
    >>>
    >>> I just realized that the permanent interface identifier of my MAC has
    >>> changed after upgrading to OS 10.12 (I guess).
    >>>
    >>> The output of ifconfig shows a new "secured" flag at the permanent address.
    >>> $ ifconfig en0 | grep inet6 | \
    >>>>      sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
    >>> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
    >>> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
    >>> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
    >>>
    >>> I found two or three posts in the internet, all mentioning (or hoping)
    >>> that this is related to a change to RFC7217 as default IID mechanism.
    >>>
    >>> But one guy sad, that the source code (of 10.11) shows, that this is a
    >>> cryptographic generated interface identifier for SeND (RFC3971).
    >>>
    >>> I tend to believe that the latter is true.
    >>
    >> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
    >> neither. And in the case of "Happy Eyeballs" there is no way to turn it
    >> off either. Filing radar bugs clearly does not help as they never get
    >> addressed or marked as 'dupe' at which point you do not know the status
    >> of the 'original' problem and well, nothing happens...
    > 
    > Interesting - I’d also assumed the new form of address was RFC 7217 support. I don’t think any other common OS implements SeND, does it?
    
    Can anyone verify that:
    
    1) As you disconnect and subsequently reconnect to the same network, the
    address is formed with the same IID?
    
    2) When multiple prefixes ad advertised on the same network, each
    resulting address (for each different prefix) employs a different IID?
    
    3) If multiple interfaces (NICs) are connected to the same subnet, each
    obtains a different address, plus "1)" and "2)" above are true?
    
    Thanks!
    
    Cheers,
    -- 
    Fernando Gont
    e-mail: fernando at gont.com.ar || fgont at si6networks.com
    PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
    
    
    
    _______________________________________________
    Seguridad mailing list
    Seguridad at lacnic.net
    https://mail.lacnic.net/mailman/listinfo/seguridad
    





More information about the LACTF mailing list