[LACNIC/Seguridad] IDs predecibles en DHCPv6 (Re: )
Fernando Gont
fgont en si6networks.com
Mar Feb 16 10:19:40 BRST 2016
("Tema" corregido)
On 02/16/2016 06:53 AM, Fernando Gont wrote:
> Estimados,
>
> FYI: <https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-privacy-02>
>
> ---- cut here ----
>
> 4.3. Allocation strategies
>
> A DHCPv6 server running in typical, stateful mode is given a task of
> managing one or more pools of IPv6 resources (currently non-temporary
> addresses, temporary addresses and/or prefixes, but more resource
> types may be defined in the future). When a client requests a
> resource, server must pick a resource out of configured pool.
> Depending on the server's implementation, various allocation
> strategies are possible. Choices in this regard may have privacy
> implications.
>
> Iterative allocation - a server may choose to allocate addresses one
> by one. That strategy has the benefit of being very fast, thus can
> be favored in deployments that prefer performance. However, it makes
> the resources very predictable. Also, since the resources allocated
> tend to be clustered at the beginning of available pool, it makes
> scanning attacks much easier.
>
> Identifier-based allocation - some server implementations use a fixed
> identifier for a specific client, seemingly taken from the client's
> MAC address when available or some lower bits of client's source IPv6
> address. This has a property of being convenient for converting IP
> address to/from other identifiers, especially if the identifier is or
> contains MAC address. It is also convenient, as returning client is
> very likely to get the same address, even if the server does not
> retain previous client's address. Those properties are convenient
> for system administrators, so DHCPv6 server implementors are
>
>
>
> Krishnan, et al. Expires June 29, 2016 [Page 9]
>
>
> Internet-Draft DHCPv6 Privacy considerations December 2015
>
>
> sometimes requested to implement it. There is at least one
> implementation that supports it. The downside of such allocation is
> that the client now discloses its identifier in its IPv6 address to
> all services it connects to. That means that correlation of
> activities over time, location tracking, address scanning and OS/
> vendor discovery apply.
>
> ---- cut here ----
>
> P.S.: En fin:
> <https://tools.ietf.org/html/draft-gont-predictable-protocol-ids-00>...
>
--
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Más información sobre la lista de distribución Seguridad