[LACNIC/Seguridad] (sin asunto)
Fernando Gont
fgont en si6networks.com
Mar Feb 16 07:53:46 BRST 2016
Estimados,
FYI: <https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-privacy-02>
---- cut here ----
4.3. Allocation strategies
A DHCPv6 server running in typical, stateful mode is given a task of
managing one or more pools of IPv6 resources (currently non-temporary
addresses, temporary addresses and/or prefixes, but more resource
types may be defined in the future). When a client requests a
resource, server must pick a resource out of configured pool.
Depending on the server's implementation, various allocation
strategies are possible. Choices in this regard may have privacy
implications.
Iterative allocation - a server may choose to allocate addresses one
by one. That strategy has the benefit of being very fast, thus can
be favored in deployments that prefer performance. However, it makes
the resources very predictable. Also, since the resources allocated
tend to be clustered at the beginning of available pool, it makes
scanning attacks much easier.
Identifier-based allocation - some server implementations use a fixed
identifier for a specific client, seemingly taken from the client's
MAC address when available or some lower bits of client's source IPv6
address. This has a property of being convenient for converting IP
address to/from other identifiers, especially if the identifier is or
contains MAC address. It is also convenient, as returning client is
very likely to get the same address, even if the server does not
retain previous client's address. Those properties are convenient
for system administrators, so DHCPv6 server implementors are
Krishnan, et al. Expires June 29, 2016 [Page 9]
Internet-Draft DHCPv6 Privacy considerations December 2015
sometimes requested to implement it. There is at least one
implementation that supports it. The downside of such allocation is
that the client now discloses its identifier in its IPv6 address to
all services it connects to. That means that correlation of
activities over time, location tracking, address scanning and OS/
vendor discovery apply.
---- cut here ----
P.S.: En fin:
<https://tools.ietf.org/html/draft-gont-predictable-protocol-ids-00>...
--
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Más información sobre la lista de distribución Seguridad