|
|
|
|
|
|
by simoncion
1247 days ago
|
|
|
From the recommendations document: > The assigned IPv6 address incorporates media access control (MAC) address information from the network interface and may allow for host identification via interface ID, network interface card, or host vendor. How long has it been since NSA has looked at generally-available OSs with IPv6 support? IPv6 "Privacy Addresses" are a thing that's on-by-default everywhere (and a damn thorn in my side). SLAAC has been using a identifier that's a combination of a randomly-generated ID and the subnet that the address is being generated for rather than the MAC address of the NIC for address generation for ages. (This is yet another thing that I revert back to the old behavior.) They go on to recommend disabling SLAAC and using only DHCPv6. Does NSA know something exploitable about common DHCPv6 implementations that we don't? ;) > ...a dual stack DNS implementation may need to support both A and AAAA
records. It's weird to say "dual stack DNS implementation". DNS servers can store A and AAAA records, regardless of whether their host is doing "dual stack" addressing or not. (If yours cannot, then by golly, you fucked up when you wrote your DNS server.) |
|
|
This is what they say
> NSA recommends assigning addresses to hosts via a Dynamic Host Configuration Protocol version 6 (DHCPv6) server to mitigate the SLAAC privacy issue. Alternatively, this issue can also be mitigated by using a randomly generated interface ID (RFC 4941 – Privacy Extensions for Stateless Address Auto-configuration in IPv6) [1] that changes over time, making it difficult to correlate activity while still allowing network defenders requisite visibility