Internet service providers, web sites, and equipment vendors around the globe took part in the World IPv6 launch in June, Internet companies including AT&T (T), Cisco (CSCO), Comcast (CMCSA), Facebook (FB), Google (GOOG), Microsoft (MSFT), Verizon Wireless (VZ), and Yahoo (YHOO) decided to permanently turn on IPv6. A small fraction of Internet users and devices have started communicating via IPv6 networks, with more and more transitioning to the new protocol over the coming months and years. There are security and privacy implications in the switch to IPv6.
All kinds of devices will get new IPv6 numbers as the addressing format grows. The IPv6 addresses for these networked devices can be generated in a number of different ways and the choice of how they are created has potentially wide-reaching effects for security and privacy Center for Democracy & Technology explains. One of the original methods for assigning new addresses involved using a unique device identifier (known as a MAC address) as the suffix of the IPv6 address. This method creates a permanent, unique address for a device, potentially allowing any server that the device communicates with to indefinitely track the user.
IPv6 designers soon realized the potential security and privacy problems of MAC-based addresses; as a result, they created an alternate method known as “privacy extensions” or “privacy addresses” the article reports. The privacy extensions use a randomly generated number instead of a MAC address. In order to protect privacy on an IPv6 network, the random number is unrelated to any device identifier and in practice lasts no more than a week (and often much less time), ensuring that the user’s IP address cannot be used for long-term user tracking.
It is up to operating system vendors to choose which IP address assignment method will be the default on their devices. The author says that some vendors have made good choices, particularly within the last year. Microsoft has long led the charge on IPv6 privacy, with privacy extensions on by default in all versions of Microsoft Windows since the release of Windows XP nearly a decade ago. Apple followed suit last year, with privacy extensions activated by default in all versions of Mac OS X since 10.7 (Lion) and with the release of iOS 4.3 for iPhone and iPad. Google did likewise in its Android 4.0 release last year.
The CDT says that as long as Internet users choose to upgrade their operating systems to the latest versions, they should be protected against perpetual security and privacy threats from IPv6 network address tracking.
However, I wrote about reports from H Security that mobile operating systems do not protect security or privacy on IPv6 networks. The report says mobile OS’s send private information about their users to the network. The H.Security article says this is not a flaw in IPv6, rather it is lazy programming in some cases. The article points out that neither Apple’s iOS nor Android devices have the option to enable Privacy Extensions or the option to disable IPv6. apparently the only thing the smartphones need is a control option in the user interface to protect mobile OS users privacy and security on an IPv6 network.
- Romania Has the Fastest IPv6 Adoption Rate (maindevice.com)