goetz1d ago

I hate, that I have to explain again and again that EUI64 address generation is the worst feature of #IPv6 in terms of tracking and privacy.
Nevertheless nearly all #IoT devices us #lwIP which lacks RFC7217 or RFC4941/8981 support and leaks GUIDs to everyone listening.

When is everyone taking this serious?

Even a famous German CPE vendor uses this method.

Have a look here if you do not understand what I mean:

https://bgp.tools/prefix/2a02:908:8000::/33#dns

BTW your #Synology #nas spoils your privacy.

2a02:908:8000::/33 - bgp.tools

Show threadkasperd

At least there is a solution that vendors can implement. We just have to convince them to do so by default.

There is a separate set of privacy risks related to IPv4. The IP-ID field in the IPv4 header has been a source of many risks. Here is a proof-of-concept of one of the less known privacy risks in that field: https://v6tools.kasperd.dk/same-host/

Same host detection through IP-ID

Apr 5 at 9:39pmWeb
Show threadgoetz1d ago
@kasperd
I have a hard time doing so, and every time some of the "yes, but ..." guys comes around.
Show threadkasperd23h ago
It can be hard to convince people to do the right thing. In my experience the success rate is in the single digit percentages.