Wednesday, 26 November 2014

Privacy IP addressing

Privacy addressing is a system for making it harder to track an IP address to a device.

Without privacy addresses

Without privacy addressing the normal way a device gets an IP address (with the current version of IP, which is IP version 6) is that it uses 64 bits of network address and 64 bits based on its MAC address.

The MAC address is a unique address tied to the devices interface hardware. However, it is important to realise that this is for the protocol to make Ethernet work, and is not intended as an identification. MAC addresses can be spoofed or changed.

This may sound somewhat technical, but the upshot of this, in simple terms, is that if I use my iPhone at home and access a web site, and then later use it in a coffee shop in Bracknell and access the same web site, and then later use it in my mate's house in Gloucester and access the same web site - then the web site logs will show that the same device was used (from the MAC address in my IP) and be able to profile where I am going and when.

What is a privacy address

A privacy address is where the device assigns an extra address in the same network but with a random part rather than using the device MAC address. It then uses that address when you access things on the Internet, like web sites.

This means that the web site logs show a totally different address for each place the device is used.

It also can change the address over time, so even using the same device from the same place, it may appear from a different IP address 10 minutes later.

Why do they exist?

The old way of working (IPv4) would often use NAT (Network Address Translation) which meant that the IP address seen by a web site was the same for everyone on a network (e.g. in a home or an office, etc). There was no part of the IP address that related to the device or that could be tracked from one place to another.

With IPv6 people wanted to retain this same level of obscurity and anonymity. NAT was always a bodge and against the basic design of IP, but this obscurity feature was a hurdle for people adopting IPv6, hence privacy addressing (another bodge).

The old system also meant that it was hard to tell how many devices were on a network as they all appeared with one IP. With IPv6 and no privacy addressing, an ISP could easily see how many separate apple devices you have, and so on.

What is wrong with privacy addresses?

The are several problems. One of which is a false sense of security. A web site can track a device by cookies, or browser fingerprinting. But if you are talking about a common web site you use like FaceBook or Twitter they probably even have some sort of login and even location services telling them where you are exactly anyway.

There are however various problems for system administrators. Even in our small company it is useful for devices to have a consistent IP address. That can then be given a name in reverse DNS and show in logs. These can be spoofed, just like MAC addresses, so I am not talking about security (not on its own), but for logging and so on. Basically it is handy to be able to track things to a device - the same as what the government what to do, but in an office and with the agreement of the users.

There are also some rather technical issues that have happened on large networks where the constantly changing addresses and use of multicast actually cause serious problems with the network.

The RFC says you should be able to turn the feature off, but many devices don't let you!

What did FireBrick do?

We added a feature a little while ago to undo privacy addressing by mapping the IP address used back to one based on the MAC.

Why? For a start, for the convenience of my devices having a consistent IP address. But we also did this as an experiment, and to highlight the false sense of security that privacy addresses offers. After all, the coffee shop you are using could be doing this!

Anyway, the experiment is over and the feature is being removed from the next release.

What about the future of privacy?

Well, I expect there to be calls now to have devices randomise their MAC addresses. It is technically possible, and if done right it could just work. It would help maintain some level of privacy that cannot be thwarted by features such as the one we put in the FireBrick. I will be surprised if Android can't do this already, and it will be interesting if Apple follow. Apple already do this for probe packets on WiFi to avoid the tracking of apple devices, so I expect they will soon for normal traffic. That will also have the advantage of thwarting any device level tracking for the old IP protocol (IPv4).

Only IPv6?

Some will say this is irrelevant as it is only IPv6, and mostly people still use IPv4 - but bear in mind that if you are accessing FaceBook, and you have IPv6, that is what will be used. It is only a matter of time before IPv6 finally hits the mainstream ISPs and at that point the very traffic that the government would like to track will be IPv6.

14 comments:

  1. I've set up an eduroam wifi installation - as part of this the upstream University was providing the routing, but needed me to keep track of what IPs each MAC (which I could subsequently tie to a user via the RADIUS logs) was assigned.

    With IPv4 this is trivial using DHCP - for IPv6 it gets more complicated, as privacy addressing means SLAAC was no good (unless we controlled the routing so could do something similar to what is described above), so we had to use DHCPv6. This required getting the University to amend their RAs so they didn't set the 'A' flag on the prefix, and set the 'M'anaged flag on the overall RA so clients would actually try DHCPv6.

    Also, unfortunately Android doesn't support DHCPv6, so we're now in a situation where Android has no IPv6, though everything else we've tried does. What's ultimately disappointing is that it was far more complicated than doing the equivalent for IPv4, which likely explains why the University isn't providing IPv6 on any of their 'in house' eduroam deployments :(

    (Yes I know none of this stops anybody spoofing an IPv4 or IPv6 address anyway once they're on the network)

    ReplyDelete
  2. I'd be interested to hear your opinions on paragraph 124 here:
    http://www.publications.parliament.uk/pa/bills/cbill/2014-2015/0127/en/15127en.htm

    ReplyDelete
  3. I like to track in logs my IPv6 devices at home. This works great for everything (Windows lets me turn off privacy addressing) except for my iPad, which has no way to turn it off. This makes it not compliant to the relevant RFC for privacy addressing, which says it should be off by default and configurable by the user. Do companies not bother complying with the relevant standards any more?

    The only devices I have which appear to comply with the relevant RFC are Windows Home Server V1 (IPv6 stack doesn't support privacy at all, it's not mandatory) and Raspbian on my Pi (it's off, and I haven't checked if it has the option to enable it).

    ReplyDelete
  4. You say it is inevitable IPv6 will go mainstream. No it isn't, BT have enabled Carrier Grade NAT and I expect Virgin to follow suit. They basically don't want to spend any money on investment because they want to maximise shareholder revenues. Nothing will change this.

    I asked about IPv6 at work and was told it will never happen, the lack of NAT means it is insecure and un-managable. The management issue is genuine, with NAT you can change ISP and you don't need to renumber your internal network but with IPv6 it's more of a problem unless you get your own IPv6 address block allocated rather than using an ISP supplied one. As for NAT on IPv6, I've heard and read conflicting information on whether that exists with standards etc, so I don't know what to believe.

    ReplyDelete
    Replies
    1. CGNAT is expensive and prone to problems. ISPs do not want to do it, but some have little choice. The more traffic they can keep off CGNAT the more they save, meaning they want FaceBook, Google, Akami and so on to be using IPv6 if they can.

      Also, the Counter-Terrorism and Security Bill is about to make CGNAT much more expensive as now they have to log all the NAT sessions and keep them for a year and have a way to ensure they are secure and a means to search them and so on. The business use would have been short term, not need to be 100% and only for diagnostics and internal use. The DRIPA requirements are much more expensive.

      Delete
    2. CGNAT isn't a long term alternative to running out of address space. Assuming that each customer would want 500 ports open at once (probably an over estimate at this point, but things are getting there) each IP address can only support 65535 /500 = 130 customers. Thats a lot more than 1 per IP address, but address usage is increasing rapidly.

      Just because people are deploying CGNAT, doesn't mean they are not also deploying IPv6. In the short term CGNAT will be required for those that run out of IPv4 address space to reach what remains IPv4 only (or some other transition technology...)

      BT have a website about their IPv6 rollout plans: http://www.ipv6.bt.com/
      Plusnet have an IPv6 trial: http://community.plus.net/forum/index.php?board=70.0

      Its slow, but it is happening.

      "...the lack of NAT means it is insecure and un-managable"
      The big misconception about NAT is that it provides security. It doesn't. Google for "NAT is not security" and you will find thousands of articles explaining exactly why it isn't. If you want security, you want a firewall. These are two completely different concepts. NAT is just a band aid to eek out the address exhaustion problem.

      "...with NAT you can change ISP and you don't need to renumber your internal network but with IPv6 it's more of a problem ..."
      Changing ISP does not mean you have to renumber with IPv6 either... at least not manually. One of the big features of IPv6 is autoconfiguration.

      Your ISP will delegate your router a /64 of address space. When your computers come online they will perform a router discovery. Your router will respond with the /64 that has been allocated, and the computer will work out its IP address. If you change ISP, when your router connects it will get a different /64. Your machines will then correctly configure themselves with the new address.

      NAT on IPv6 doesn't (formally - as far as I'm aware) exist as its not required. It is a tool to make address space go further which is just not needed.

      Delete
    3. I'm fully aware NAT is no substitute for a firewall, hence I didn't list it as a real problem. Unfortunately our IT department at work appear not to agree, and there's nothing that I as a software developer can do about it.

      I don't agree on IPv6 addresses though, with getting a /64 delegation from your ISP. If you have DNS for all your machines as we do, then you need to change all your DNS entries and wait for the change to propagate etc. IPs in logging change, and we have security requirements that involve tracking what employees do long term by IP addresses.

      I was online at work in the far off days of 1995. We had two Class C's allocated to the company, not our ISP. All our PCs had worldwide public IP addresses, I'm fully aware there's no need for NAT for security. We moved ISP and everything stayed the same in our addressing, it was great. Personally I expect IPv6 to work like that, including having address blocks allocated to companies and private individuals. I see no reason why we all have to get an IPv6 address block from our ISP.

      Delete
    4. I have a PI block of IPv6 at home and that works a treat. Way better than NAT and IPv4

      Delete
    5. I don't really know what your use case is, but if you want to log addresses then that should be quite easy and possible using IPv6. I can think of a couple of options.

      If you do change ISP, then just the top 64 bits of your address should change. This makes updating your DNS records fairly simple. A quick search/replace on a zone file should do the trick. Same for logging, you just need to record the bottom 64 bits to identify the employee. You need to disable privacy addresses for local services, and put in other security to prevent an employee changing their IP/MAC address though. (This is the same for IPv4)

      Alternatively you could do something like the following. Use your normal delegated /64 prefix for Internet connectivity, and issue all machines a second address out of FC00::/7. Use this second address for your DNS records etc, and for accessing internal services. Apply firewalls to only allow connections from this prefix from local services.

      The third method, and from what you are saying probably the most desirable is to do as Adrian says and get a block of IPv6 address space from RIPE via your ISP. There is a cost to do this, but I don't think its excessive. Your ISP then routes this to you. All ISPs I have worked for in the past have been happy to help with this in the past. Its an easy way for them to make a few quid.

      Delete
    6. What I haven't yet seen a good answer for with IPv6 is how to perform load balancing on two independent (consumer / small business level) connections.

      With IPv4 I can get two connections, and then with an off the shelf router perform simple load balancing / failover using them. I don't know how I do that for IPv6, as each connection will have a different prefix allocated to me by the ISP - I suppose failover would be possible by updating the RA if the active link fails to use the other prefix, but for load balancing I can't see how it would be done....

      Delete
    7. Again, having your own address space is the easiest answer. Have both upstream ISPs route it to your connection (Will work perfectly well with DSL, as well leased lines).

      It won't be possible to get perfect 50/50 load balancing, but it would provide almost seamless failover, The only thing you need to make sure is your upstream ISP withdraws the route if your connection fails.

      Delete
    8. In an ideal world yes, but I often set this sort of thing up for customers who insist on one line being eg BT retail - I can just imagine the reaction if I call them up and ask them to start announcing/routing some PI to an ADSL/FTTC link...

      Delete
    9. I would imagine BT Business would have no issue with doing that for you.

      Delete
    10. Well, at the moment they have no native IPv6 at all on ADSL/FTTC services so no way to find out, but given the hassle involved in moving to a static IPv4 address (in terms of trying to talk to someone who actually understood what one was, let alone how to add one on through their system), I don't hold out much hope ;)

      Delete