Which of the following methods can be used to generate an interface ID for an IPv6 address?

IPv6 address consists of 3 parts: Global Routing Prefix, Subnet ID and Interface ID. Interface ID identifies an interface of particular node and is unique within the subnet.

Two methods are used to auto-generate an Interface ID part of its IPv6 address on its own. These methods are:

1. EUI-64 (Extended Unique Identifier 64-bit) – not recommended
2. Interface Identifier – recommended

EUI-64 explained

EUI-64 method is used to automatically generate unique 64-bit interface ID with usage of MAC address of device.

As seen on image below, we take OUI (Organizational Unique Identifier)¹ out of MAC address and add it to the start of Interface ID. We also flip the 7-th bit. Then we add FF FE section and as a last step, we add NIC part² of MAC address.

Figure 1 - EUI-64 (source: https://ipfiles.files.wordpress.com/2015/04/eui.png)

What’s wrong about it?

You may have already noticed, that the whole concept behind this mechanism can be misused. L3 address contains the exact information about L2 address.

This creates an opportunity to track the device, because to whichever network it connects, the second half of IPv6 address it generates is always the same. The user cannot connect anonymously to any network if someone knows the EUI-64 interface identifier of his device. This can be easily exploited in many different ways, for example, websites and apps associating different IPv6 addresses to a particular device or user.

To address this and to help improve user’s privacy - Random Interface Identifiers were developed. When using Random Interface Identifiers, MAC address is not being usedbut instead, randomly generated hexadecimal string is utilized.

How to mitigate it?

We should always use Random Interface Identifiers (operating systems starting Windows Vista and later, and also Linux use this method). But on the other hand, there are (older) network devices from multiple vendors that are still using EUI-64. Network administrators should examine each IPv6 address on each Network Interface Card on each network device, that is under their control, to verify, that there is no single EUI-64 generated IPv6 address on network. In case that there is no Random Interface Identifier process available on exact device, you should configure static IPv6. For example, on Cisco devices, this is accomplished by following information below:

To enable automatic configuration of IPv6 addresses using stateless autoconfiguration on an interface and enable IPv6 processing on the interface, use the ipv6 address autoconfig command in interface configuration mode.

To remove the address from the interface, use the no form of this command.

no ipv6 address autoconfig

And then just configure static IPv6 address.

ipv6 address 2001:0BB9:AABB:1234:1111:2222:3333:4444/64

On any device, network administrator should follow guidelines from manufacturer.

Conclusion

EUI-64 is one of two methods used to auto-generate Interface ID part of IPv6 address. It is highly recommended not using this method, because it can be easily exploited in many different ways, for example, websites and apps associating different IPv6 addresses to a particular device or user. Random Interface Identifiers were developed to address problems with EUI-64. When the device does not support Random Interface Identifiers, static IPv6 address should be used.

Reference Sources

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-i1.html
https://www.networkacademy.io/ccna/ipv6/ipv6-on-windows

Use one of the following methods to configure an IPv6 global unicast address for an interface:

• EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface identifier is generated automatically by the interface.

• Manual configuration—The IPv6 global unicast address is manually configured.

• Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message.

You can configure multiple IPv6 global unicast addresses on an interface.

Manually configured global unicast addresses (including EUI-64 IPv6 addresses) take precedence over automatically generated ones. If you manually configure a global unicast address with the same address prefix as an existing global unicast address on an interface, the manually configured one takes effect, but it does not overwrite the automatically generated address. If you remove the manually configured global unicast address, the device uses the automatically generated one.

EUI-64 IPv6 address

To configure an interface to generate an EUI-64 IPv6 address:

Manual configuration

To configure an IPv6 global unicast address for an interface:

Stateless address autoconfiguration

To configure an interface to generate an IPv6 address through stateless address autoconfiguration:

After this configuration, the interface automatically generates an IPv6 global unicast address by using the address prefix in the received RA message and the interface ID. On an IEEE 802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the MAC address of the interface and is globally unique. An attacker can exploit this rule to identify the sending device easily.

To fix the vulnerability, you can configure the temporary address function. With this function, an IEEE 802 interface generates the following addresses:

• Public IPv6 address—Includes the address prefix in the RA message and a fixed interface ID generated based on the MAC address of the interface.

• Temporary IPv6 address—Includes the address prefix in the RA message and a random interface ID generated through MD5.

You can also configure the interface to preferentially use the temporary IPv6 address as the source address of sent packets. When the valid lifetime of the temporary IPv6 address expires, the interface removes the address and generates a new one. This function enables the system to send packets with different source addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD conflict, the public IPv6 address is used.

The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:

• The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:

  • The preferred lifetime of the address prefix in the RA message.

  • The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (a random number ranging from 0 to 600 seconds).

• The valid lifetime of a temporary IPv6 address takes the smaller of the following values:

  • The valid lifetime of the address prefix.

  • The valid lifetime configured for temporary IPv6 addresses.

To configure the temporary address function:

To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs.

If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.

Configuring a static IPv6 prefix

What is the method a device can use to generate its own IPv6 interface ID?

What is the interface ID of IPv6 address?

How are IPv6 addresses generated?

Which of the following identifies the interface ID component of an IPv6 address select two?