New in IPv6: Stable Random IPv6 Addresses on OpenBSD
The idea of generating random IPv6 addresses (so you cannot be tracked across multiple networks based on your MAC address) that stay stable within each subnet (so you don’t pollute everyone’s ND cache every time you open your iPad) is pretty old: RFC 7217 was published almost exactly four years ago.
Linux was quick to pick it up, OpenBSD got RFC 7127 support a few weeks ago. However, there’s an Easter egg in the OpenBSD patches that implement it: SLAAC on OpenBSD now works with any prefix length (not just /64).
Turns out there never was a requirement to have /64 prefixes to use SLAAC before RFC 4291 was published (RFC 4291 specifies the length of interface identifiers to be 64 bits)… or so Peter Hessler claimed during a Troopers dinner. Disagree? Please write a comment!
New to IPv6?
I decided I won’t spend any more time on a protocol that is old enough to buy its own beer, but the IPv6 webinars on ipSpace.net are still pretty relevant (yeah, nothing much has changed in the meantime).
An IPv6 address prefix used for stateless autoconfiguration [ACONF]
of an Ethernet interface must have a length of 64 bits.
Why would you ever want to use it? Beats me... Seems more like proving a point to me.
Perhaps I am not seeing the "other side" of why someone would use something other than a /64 for an IPv6 subnet for end-host addresses? Now, back to main topic, RFC7217 is pretty cool in and of itself from a security perspective
Maybe "I need more segments but my provider is only giving me a /64" or "I want to do tethering but can't get more than a single /64 on LTE" or something similar? There's IA_PD, but then some people are still religiously opposed to DHCPv6 ;)
Or, as seen in the IPv6 address concept of a large Swiss university network: /64 are reserved but not configured. Only /115 or /118 are configured.
Although they do not use SLAAC, in terms of passive security, this is a neat trick to harden the network against resource exhaustion (simple reconnaissance by scanners, targeted DDoS attacks, etc.
So the Easter egg in OpenBSD's SLAAC comes in handy in such networks