OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • IPV6 Interface Addresses
« previous next »
  • Print
Pages: [1]

Author Topic: IPV6 Interface Addresses  (Read 799 times)

mooh

  • Jr. Member
  • **
  • Posts: 93
  • Karma: 3
    • View Profile
IPV6 Interface Addresses
« on: April 19, 2024, 05:17:19 pm »
Running OPNsense 23.10.3-amd64 on DEC750 appliances I just noticed that all interfaces use the same interface identifiers when set to "track interface", i.e. the leading 64 bits are as expected (56 bit prefix + 8 bits tracking id) but the least 64 bits are the same on all (EDIT: VLAN) interfaces, including WAN.

Technically, that's fine but I'm wondering if this is a good default because it makes guessing interface addresses trivial for attackers as there is only 8 bits of uncertainty and - let's face it - in practice no uncertainty at all because tracking IDs usually go from 0 to n.

Maybe my settings are wrong, but I would expect all networking devices - including router interfaces - on my network to use privacy extensions or at least MAC based identifiers in order to prevent these attacks. So basically, all interfaces should have essentially random interface identifiers.

What do you folks think? Is there something wrong with my configuration?
« Last Edit: April 19, 2024, 05:27:23 pm by mooh »
Logged

Maurice

  • Hero Member
  • *****
  • Posts: 1213
  • Karma: 158
    • View Profile
    • GitHub
Re: IPV6 Interface Addresses
« Reply #1 on: April 19, 2024, 06:44:47 pm »
Guessable interface addresses shouldn't be a concern, a security strategy should never depend on keeping IP addresses "secret".

Privacy extensions are not commonly used on routers, only on hosts. The interface identifiers are based on the MAC address (EUI-64). If all VLANs use the same underlying NIC, they share the same MAC address and as a result the same interface identifier. You can spoof the MAC address for individual VLANs though.

Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).

mooh

  • Jr. Member
  • **
  • Posts: 93
  • Karma: 3
    • View Profile
Re: IPV6 Interface Addresses
« Reply #2 on: April 21, 2024, 10:20:54 am »
Thank you for responding. I agree, obscurity is not security but it doesn't hurt to have, either.

With interface identifiers based on MAC addresses I understand why all virtual interfaces on the same physical interface are the same, but in my case even the identifier part of the WAN is the same as all virtual LAN interfaces, even though it is on another physical interface (and is based on the LAN MAC).

Thinking about it, my WAN interface uses PPPoE and thus doesn't have a MAC. Is OPNsense recycling the MAC bits from another interface in that case?
Logged

Maurice

  • Hero Member
  • *****
  • Posts: 1213
  • Karma: 158
    • View Profile
    • GitHub
Re: IPV6 Interface Addresses
« Reply #3 on: April 21, 2024, 10:46:47 pm »
Yes, the MAC address of the system's first Ethernet interface is used for creating the interface identifiers of some "virtual" interfaces (as well as the system's DUID).
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.7 Legacy Series »
  • IPV6 Interface Addresses
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2