How can we combat active host tracking with traditional SLAAC addresses?

To address the confidentiality of traditional SLAAC addresses, IETF proposes RFC 4941, "IPv6 automatically configures the confidentiality extension of stateless addresses", which is usually referred to as "temporary addresses ". The RFC 4941 standard solution is implemented in the following ways:

• A temporary address is an IPv6 address that is repeatedly generated using a random IID.

• These temporary addresses contain traditional SLAAC addresses. That is to say, nodes that implement RFC 4941 not only contain temporary addresses, but also traditional (fixed) SLAAC addresses.

• The temporary address is used for outgoing connections, while the traditional SLAAC address is used for inbound connections. That is to say, the traditional SLAAC address can be used only when the address is not needed.

However, temporary addresses also have many disadvantages. They also cannot avoid address scanning attacks. They do not completely defend against host tracking, and usually increase network operation complexity. In addition, when using a traditional SLAAS address, temporary addresses (instead of replacement) are used at the same time, so temporary addresses are almost unable to resist address scanning attacks.

For host tracking, the temporary address cannot completely solve these problems. For example, if an attacker knows the IID used by the traditional SLAAC address of the attacked node, the attacker knows the target network that the attacked node may connect. In this case, attackers can use the network prefix and the same IID used by the attacked node to actively connect the attacked node to each target network.

The key concept here is that as long as the IID remains unchanged on the network, attackers may use it to launch host tracking attacks. When a temporary address is enabled, it can only defend against passive host tracking attacks (for example, attacks initiated by attacked nodes that connect to the server controlled by the attacker ). However, the active host tracking attack (the attacker sends detection packets to the target) is still unavoidable.

Fight against active host tracking

SI6 Networks's IPv6 tool suite scan6 is an IPv6 address scanning tool dedicated to initiating active IPv6 host tracking. It provides many options to specify the network that the attack node may connect to and the Fixed Interface ID used.

For example, if an attacker knows the IID of a node whose traditional SLAAC address is a00: 27ff: fe89: 7878, the node may only connect to the network 2001: db8: 1 :: /64 and 2001: db8: 2:/64. In this case, attackers can use scan6 to execute the following command:

# Sudo scan6-I eth0-d 2001: db8: 1:/64-d 2001: db8: 2:/64-W a00: 27ff: fe89: 7878-l-z 60-t-v

In this way, scan6 can attack IPv6 addresses 2001: db8: 1: a00: 27ff: fe89: 7878 and 2001: db8: 2: a00: 27ff: fe89: 7878 every 60 seconds. As mentioned earlier, this attack may take effect even if the target node uses a temporary address, because the temporary address also contains the traditional SLAAC address.

The scan6 tool can also obtain the destination IID and destination network prefix from each file. For example, this tool can execute the following command:

# Sudo scan6-I eth0-m PREFIXES-TXT-w IIDS. TXT-l-z 60-t-v

In this case, the scan6 tool obtains the destination IPv6 prefix from the file PREFIXES. txt and the iid of the target node from the file IIDS. TXT.

Possible solutions

Apparently, temporary addresses can combat activities related to nodes in a network, because they make it difficult for remote attackers to associate many communication instances to the same node.

To completely eliminate host tracking attacks, you must disable nodes from using IIDS that remain unchanged in multiple networks. There is an IETF Proposal "a way to generate fixed and enhanced private addresses through IPv6 stateless automatic configuration (SLAAC)" to deal with this issue. It includes:

• The generated IPv6 addresses will remain unchanged in the network (for example, when connecting to the same network, the host can always get the same address), So network operations will not be negatively affected.

• When a host switches from one network to another, Its IPv6 address changes (to defend against host tracking attacks ).

This standard is expected to be completed by the end of this year. Although many vendors have expressed their intention to support this method, it still takes some time for extensive deployment to solve IPv6 addressing security and confidentiality issues.