Christian Huitema's blog

Cloudy sky, waves on the sea, the sun is
shining

IPv6, Privacy and the IEEE 802 identifiers

02 Apr 2011

Recently, I found myself writing to an IPv6 IETF mailing list that a critical part of the IPv6 design “looked like a good idea at the time” but in fact was not. Back when we were designing IPv6, we chose a simple address structure: 64 bit for the header designating the subnet, and then 64 bit for the host identifier. That structure enabled automatic address configuration: the computers learn the prefix from the router advertisement, and can automatically compose the address by composing it with their host identifier. Of course, this only works if host identifiers are unique within the subnet, but we had a simple solution for that. We could just derive the host identifier from the unique IEEE 802 identifier embedded in the Ethernet or wireless interface, and voila, automatic configuration with minimal risks of collisions. It really looked like a good idea at the time.

We were actually surprised when a few years later privacy advocates protested against that design. Embedding a unique number in the address allowed web sites to easily track users! The IETF reaction was to create a variant of IPv6 addresses, dubbed “privacy addresses” – see RFC 3041 later updated by RFC 4941 and the message on the subject from Steve Deering and Bob Hinden.

Privacy addresses have been implemented in Windows and in IOS, but there is still some resistance to their use. A lot of network management practices rely on tracking computers by addresses, so network administrators don’t really like the idea of computers hiding their identities by changing addresses over time. So we still have lots of networks where administrators insist on disabling the “privacy” features. That was perhaps acceptable when computers where statically bound to desks, but in a world or laptop and tablets, that is very counter-productive. The simple prohibition means that when a laptop moves out of the managed network it will still not use temporary addresses. For example, when it connects to the Wi-Fi network at the airport or in a café, it will continue using to build the IPv6 address using the MAC address of the Wi-Fi interface. By insisting on stable addresses in their network, the administrators are enabling online tracking of their users!

Of course, administrators are in a pickle. They tend to care about the user privacy, but they have conflicting requirements, and they really need to be able to manage their network. This is a problem that the IETF and the industry have to solve. The design is simple, although the details probably need a lot of work. Instead of relying on MAC addresses, the addresses could be formed with a hash of the MAC address, the prefix, and maybe a security key provided by the administrators. But before any standard happens, the problem has to be acknowledged. Let’s hope that this short note will contribute to the solution!