Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
16 septembre 2013 1 16 /09 /septembre /2013 15:52

This post will review the question of anonymity and stealthiness in regard to IPv6.
We'll see the available SLAAC and DHCPv6 options, as well as the implications of the size of an /64 subnet.

IPv6 relies on ICMPv6 for its good functionning, when ICMPv4 is mere a diagnostic tool.
Furthermore, IPv6 Simple Security ( RFC6092 ) expects some ICMPv6 traffic to pass freely and unrestricted ( notablally outbound Echo request, inbound Echo reply, Time Exceeded and Parameter problem ).

Let's review the mechanisms implemented to provide some privacy, and evaluate the implications of the size of a /64 subnet


You may want to read first this post about Windows IPv6 Privacy Extentions.




Privacy mechanisms

IPv6 addresses should be choosen in a non-linear, unpredictable way, for obvious reasons.
this can be done by three means :

. Static IP, using a random-IP generator

. DHCPv6, when the DHCPv6 Server can randomize addresse pool leases :

. SLAAC, by :

    . using a random, temporary, outgoing IP address
    . using a fixed, one-time randomized, IP address for Server inbound requests

please note that DHCPv6 randomization is implemented on the DHCPv6 server,
where SLAAC randomization is implemented on the client PC.

the outbound address used by SLAAC is re-randomized at each reboot or off/on cycle of the IPv6 stack ( disable / enable )
the inbound address host-ID used by SLAAC seems one-time randomized at the OS installation, and won't change unless a full OS re-install is performed

a few exemples of privacy implementations

DLink DIR-626L DHCPv6 :

        is linear
        only the last 4 nibbles of the subnet are leaseable ( 0000 -) FFFF )
        = 65 536 possibilities



CSB RV110W :


           does full randomize over a whole /64 subnet

           allows the creation of address pools



WS 2008 R2 DHCPv6 Server :


          does full randomize over a whole /64 subnet

the /64 subnet size and privacy implications

as a /64 subnet holds over 16 billion billion IP, let's try to estimate how well a randomized IP is hidden among these ( that's security by obscurity )

let's take as a basis a fast ping scan that can reache 100 IP/s :


A nibble-quad (Quad Hex ) can be scanned in 11 minutes

A full /64 subnet will need 5.8+ billion years. That is pretty safe.

A full /64 half-time ( 50% hit probability ) is thus 2.9+ billion years. This is still pretty safe.

The scanning speed is limited to the smallest bandwidth during the travel, so no performance increase may be expected here by improving the scanning appliance bandwidth.

Let's imagine we manage to design a very clever algorithm than provides a 1000 fold increase in scanning speed, we're still 2.9+ million years for a 50% probability.

Here is a chart to provide some scale orders :





Doing the due effort of using randomized IP addresses, and carefully using the Privacy options that come with IPv6 provides for a good anonymity and stealthiness, thanks to the size of a /64 subnet.


Partager cet article

Repost 0
Published by computer outlines - dans IPv6
commenter cet article



  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact