373 private links
An IPv6 can de divided into 3 pieces:
- 48 or more bits of network identifier (also known as the subscriber prefix)
- 16 or fewer bits of subnet identifier
- 64 bits of interface identifier
The RFC mentioned can be obsolete, but are kept up to date at
Using MAC adresses was flawed, and location data was too. The randomization defined in RFC 30411 was then refined in RFC 7217. Here comes the SLAAC protocol.
Steps:
- Calculating a link-local address
- Link-local Duplicate Address Detection (DAD)
- Locating a router (by sending a Router Advertisement (RA) message)
- Calculating a routable address
DHCPv6 (RFC 3315) solves also the domain name association with IPv6 while distributing additional information.
There is an address renegotiation to preserve privacy.
Slaac is vulnerable to RA spoofing, and DNS spoofing. The proposed solution is to use IPsec, but it's complicated to deploy. SEcure Neighbor Discovery introduced a dedicated cryptographic authentication protocol for network discovery.
Another potential issue is that a network device can respond with Neighbor Advertisement packets for every Neighbor Discovery it sees. This will effectively block any device from completing Duplicate Address Detection, hence blocking SLAAC from completing. Preventing this attack is a current research topic 1, 2, 3
