[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] implications of IPv6 for geolocation mapping?
From: "Johannes B Ullrich, Ph.D." <jullrich () sans ! edu>
Date: 2011-01-06 2:08:27
Message-ID: AFA0EFED-5111-4D19-93E2-68BFB21B3949 () sans ! edu
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
As Tim mentioned, there are two ways to derive the Interface part of the IPv6 \
address: EUI-64, which is derived from the MAC address, or Privacy Enhanced, which \
will assign a random interface ID on each reboot. (you can also use static \
assignments like in IPv4, DHCP and cryptographic generated IPs)
Geolocation should actually be easier as IPv6 space should be less fragmented then \
IPv4 space. Unless you talk about mobile IPv6, which is very similar to what you have \
now for IPv4 with VPNs.
A couple of issues with IPv6 and web applications:
- since you don't have NAT issues anymore, your IP address should be more static \
during a session. But proxies may still mix things up.
- even if the interface ID is privacy enhanced, it could still be useful to assist in \
session tracking
- if you use it to assist with (NOT REPLACE!) sessions, only bother with the last \
half and ignore the first half
- for geo location, only the first 48 bits should matter. (the next 16 bits should be \
used for subnets within an organization)
For a list of IPv6 allocations by regional registrars, see \
http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml \
(the list is pretty short)
As IPv6 becomes more main stream, some of the advances like cryptographically \
generated addresses may find more use which will make things more interesting for web \
app security (but first have to see how this works out)
On Jan 3, 2011, at 5:30 PM, VA wrote:
> All,
>
> I am struggling to understand what are the potential consequences of Internet \
> moving to IPv6 for various methods relying heavily on IP “intelligence” information \
> – such as geolocation. By some accounts IPv6 is a major shift towards more precise \
> machine tracking (thus causing privacy concerns) as each machine supposedly will \
> have part of the IP (2nd half of 64 bits) permanent. By some other accounts IPv6 \
> will make it easy to re-assign IPs from one geographical location to another, thus \
> making it much harder to maintain geolocation mapping DB. What is your take – is \
> there an inherent upside or downside in migration to IPv6 for those who use IP \
> “intelligence” for fraud detection, marketing, service restrictions etc.?
> Thanks in advance!
>
---
Register now for SANS Security East 2011 - January 20-27, New Orleans, LA!
12 In-Depth courses, vendor expo, bonus extra sessions: \
http://www.sans.org/info/67253
Johannes B. Ullrich Ph.D., SANS Technology Institute, (757) 726 7528
[Attachment #5 (unknown)]
<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space; ">As Tim mentioned, there are two ways to \
derive the Interface part of the IPv6 address: EUI-64, which is derived from the MAC \
address, or Privacy Enhanced, which will assign a random interface ID on each reboot. \
(you can also use static assignments like in IPv4, DHCP and cryptographic generated \
IPs)<div><br></div><div>Geolocation should actually be easier as IPv6 space should be \
less fragmented then IPv4 space. Unless you talk about mobile IPv6, which is very \
similar to what you have now for IPv4 with VPNs.</div><div><br></div><div>A couple of \
issues with IPv6 and web applications:</div><div><br></div><div>- since you don't \
have NAT issues anymore, your IP address should be more static during a session. But \
proxies may still mix things up.</div><div>- even if the interface ID is privacy \
enhanced, it could still be useful to assist in session tracking</div><div>- if you \
use it to assist with (NOT REPLACE!) sessions, only bother with the last half and \
ignore the first half</div><div>- for geo location, only the first 48 bits should \
matter. (the next 16 bits should be used for subnets within an \
organization)</div><div><br></div><div>For a list of IPv6 allocations by regional \
registrars, see <a \
href="http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-ad \
dress-assignments.xhtml">http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml</a> \
(the list is pretty short)</div><div><br></div><div>As IPv6 becomes more main stream, \
some of the advances like cryptographically generated addresses may find more use \
which will make things more interesting for web app security (but first have to see \
how this works out)</div><div><br></div><div><br></div><div><div><div><div>On Jan 3, \
2011, at 5:30 PM, VA wrote:</div><br class="Apple-interchange-newline"><blockquote \
type="cite"><span class="Apple-style-span" style="border-collapse: separate; \
font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: \
normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; \
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; font-size: medium; "><div lang="EN-US" link="blue" \
vlink="purple"><div class="WordSection1" style="page: WordSection1; "><div \
style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; \
font-size: 11pt; font-family: Calibri, sans-serif; ">All,<o:p></o:p></div><div \
style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; \
font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div \
style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; \
font-size: 11pt; font-family: Calibri, sans-serif; ">I am struggling to understand \
what are the potential consequences of Internet moving to IPv6 for various methods \
relying heavily on IP “intelligence” information – such as geolocation. By some \
accounts IPv6 is a major shift towards more precise machine tracking (thus causing \
privacy concerns) as each machine supposedly will have part of the IP \
(2<sup>nd</sup><span class="Apple-converted-space"> </span>half of 64 bits) \
permanent. By some other accounts IPv6 will make it easy to re-assign IPs from one \
geographical location to another, thus making it much harder to maintain geolocation \
mapping DB. What is your take – is there an inherent upside or downside in migration \
to IPv6 for those who use IP “intelligence” for fraud detection, marketing, service \
restrictions etc.?<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; \
margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, \
sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; \
margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, \
sans-serif; ">Thanks in advance!<o:p></o:p></div><div style="margin-top: 0in; \
margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; \
font-family: Calibri, sans-serif; \
"><o:p> </o:p></div></div></div></span></blockquote></div><br><div> <span \
class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); \
font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: \
normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; \
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; font-size: medium; ">---<br>Register now for SANS \
Security East 2011 - January 20-27, New Orleans, LA!<br>12 In-Depth courses, \
vendor expo, bonus extra sessions: <a \
href="http://www.sans.org/info/67253">http://www.sans.org/info/67253</a><br> <br>Johannes \
B. Ullrich Ph.D., SANS Technology Institute, (757) 726 7528<br><br></span> \
</div> <br></div></div></body></html>
["PGP.sig" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic