[LACNIC/Seguridad] (sin asunto)

Fernando Gont fgont en si6networks.com
Mar Feb 16 07:53:46 BRST 2016


FYI: <https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-privacy-02>

---- cut here ----

4.3.  Allocation strategies

   A DHCPv6 server running in typical, stateful mode is given a task of
   managing one or more pools of IPv6 resources (currently non-temporary
   addresses, temporary addresses and/or prefixes, but more resource
   types may be defined in the future).  When a client requests a
   resource, server must pick a resource out of configured pool.
   Depending on the server's implementation, various allocation
   strategies are possible.  Choices in this regard may have privacy

   Iterative allocation - a server may choose to allocate addresses one
   by one.  That strategy has the benefit of being very fast, thus can
   be favored in deployments that prefer performance.  However, it makes
   the resources very predictable.  Also, since the resources allocated
   tend to be clustered at the beginning of available pool, it makes
   scanning attacks much easier.

   Identifier-based allocation - some server implementations use a fixed
   identifier for a specific client, seemingly taken from the client's
   MAC address when available or some lower bits of client's source IPv6
   address.  This has a property of being convenient for converting IP
   address to/from other identifiers, especially if the identifier is or
   contains MAC address.  It is also convenient, as returning client is
   very likely to get the same address, even if the server does not
   retain previous client's address.  Those properties are convenient
   for system administrators, so DHCPv6 server implementors are

Krishnan, et al.          Expires June 29, 2016                 [Page 9]

Internet-Draft        DHCPv6 Privacy considerations        December 2015

   sometimes requested to implement it.  There is at least one
   implementation that supports it.  The downside of such allocation is
   that the client now discloses its identifier in its IPv6 address to
   all services it connects to.  That means that correlation of
   activities over time, location tracking, address scanning and OS/
   vendor discovery apply.

---- cut here ----

P.S.: En fin:
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución Seguridad