[LACNIC/Seguridad] IDs predecibles en DHCPv6 (Re: )

Fernando Gont fgont en si6networks.com
Mar Feb 16 10:19:40 BRST 2016

("Tema" corregido)

On 02/16/2016 06:53 AM, Fernando Gont wrote:
> Estimados,
> FYI: <https://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-privacy-02>
> ---- cut here ----
> 4.3.  Allocation strategies
>    A DHCPv6 server running in typical, stateful mode is given a task of
>    managing one or more pools of IPv6 resources (currently non-temporary
>    addresses, temporary addresses and/or prefixes, but more resource
>    types may be defined in the future).  When a client requests a
>    resource, server must pick a resource out of configured pool.
>    Depending on the server's implementation, various allocation
>    strategies are possible.  Choices in this regard may have privacy
>    implications.
>    Iterative allocation - a server may choose to allocate addresses one
>    by one.  That strategy has the benefit of being very fast, thus can
>    be favored in deployments that prefer performance.  However, it makes
>    the resources very predictable.  Also, since the resources allocated
>    tend to be clustered at the beginning of available pool, it makes
>    scanning attacks much easier.
>    Identifier-based allocation - some server implementations use a fixed
>    identifier for a specific client, seemingly taken from the client's
>    MAC address when available or some lower bits of client's source IPv6
>    address.  This has a property of being convenient for converting IP
>    address to/from other identifiers, especially if the identifier is or
>    contains MAC address.  It is also convenient, as returning client is
>    very likely to get the same address, even if the server does not
>    retain previous client's address.  Those properties are convenient
>    for system administrators, so DHCPv6 server implementors are
> Krishnan, et al.          Expires June 29, 2016                 [Page 9]
> Internet-Draft        DHCPv6 Privacy considerations        December 2015
>    sometimes requested to implement it.  There is at least one
>    implementation that supports it.  The downside of such allocation is
>    that the client now discloses its identifier in its IPv6 address to
>    all services it connects to.  That means that correlation of
>    activities over time, location tracking, address scanning and OS/
>    vendor discovery apply.
> ---- cut here ----
> P.S.: En fin:
> <https://tools.ietf.org/html/draft-gont-predictable-protocol-ids-00>...

Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución Seguridad