0

I use Tor Browser on Whonix. Why I see IPv6 (something like 3221:23f9:c:67h:0:0:0:3) on whatismyip.com?

Is that website can see my MAC Address?

daya
  • 167
  • 2
  • 6
  • 20
user306993
  • 11
  • 3
  • That question has also been asked here: https://networkengineering.stackexchange.com/q/29063/5842 – kasperd Sep 18 '18 at 07:45

2 Answers2

6

As indicated on the IPv6 roadmap of the Tor project, tor has had support for exit nodes contacting destinations over IPv6 since 2.4.8-alpha. The closest stable release I could find that followed is 2.4.19 from the end of 2013. I don't know exactly which nodes need to support it for a connection to be established over IPv6, but by now, every node in your chain should have at least that version. So all you're seeing is your exit node contacting whatismyip.com over IPv6, and whatismyip answering with the exit node's IPv6 address (the address format seems to confirm this is a manually chosen address as it ends in 0:0:0:3).

If you still have the exact IP, you can check it was indeed an exit node on that day using exonerator.

By the way, IPv6 implementations do not necessarily leak the MAC address by default thanks to RFC4941, which, in addition to a MAC address based IP, assigns a randomly chosen temporary address on every interface, which changes regularly and is used by default for outgoing connections. On Linux this can be controlled using net.ipv6.conf.all.use_tempaddr net.ipv6.conf.default.use_tempaddr. Many distributions don't enable it by default, saying it can cause problems for unaware users, and I'm having trouble finding out what the default value is for whonix, but as a privacy oriented distro, I would hope it is activated... Of course, manually assigned IPv6 addresses also don't have to leak the Mac address.

Community
  • 1
user2313067
  • 916
  • 1
  • 6
  • 9
  • 3
    And even if it was the MAC address, it would be the MAC address of the _exit node_... – Michael Hampton Sep 16 '18 at 18:29
  • @MichaelHampton I did not think about the exit node, having IPv6 enabled. That should answer the other part of the question nicely. I would still suggest to user306993 testing this from other exit nodes, which are known to **not** have IPv6 enabled. But this is likely the culprit. – safesploit Sep 16 '18 at 21:48
0

The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The MAC address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits for the 64-bit EUI address. - Source

IPv6 EUI 64-bit

The inverse, Convert from MAC to IPv6, explans:

  1. take the mac address: 52:74:f2:b1:a8:7f
  2. throw ff:fe in the middle: 52:74:f2:ff:fe:b1:a8:7f
  3. reformat to IPv6 notation 5274:f2ff:feb1:a87f
  4. convert the first octet from hexadecimal to binary: 52 -> 01010010
  5. invert the bit at index 6 (counting from 0): 01010010 -> 01010000
  6. convert octet back to hexadecimal: 01010000 -> 50
  7. replace first octet with newly calculated one: 5074:f2ff:feb1:a87f
  8. prepend the link-local prefix: fe80::5074:f2ff:feb1:a87f

So yes, you can identify your MAC address via an IPv6 address. However, this will be your software MAC address, so if your MAC address was spoofed, your hardware MAC address will not be shown. For IPv6 testing consider, Test your IPv6.

safesploit
  • 1,827
  • 8
  • 18
  • That format (**fe80::5074:f2ff:feb1:a87f**) is different than what I saw on that website (**3221:23f9:c:67h:0:0:0:3**). So is the format that I saw on that website is another format in determining MAC Address? – user306993 Sep 16 '18 at 14:24
  • What's strange is that when I close Whonix and access WhatIsMyIP. com from Chrome, this website does not display IPv6 but IPv4. So what happened to Whonix? – user306993 Sep 16 '18 at 15:07
  • IPv6 addresses can be compressed/shortened to make them easier for humans to read and write. While, it's more often to use the shortest form notation when doing compression for IPv6, it's not the only way. http://www.omnisecu.com/tcpip/ipv6/how-to-simplify-ipv6-addresses.php – safesploit Sep 16 '18 at 15:13
  • @user306993 I would suggest doing research if this question has already been asked, and if not asking 'Why is Whonix displaying an IPv6, but not when Whonix is disable?' However, like I said, so long as MAC address spoofing is done (each session at random), your IPv6 address leaking your MAC address is not a concern. I would be concerned about open ports. As IPv6 does not use NAT like IPv4 does. Hence, port forwarding does not exist with IPv6, e.g. it does not have an internal network as every open port on the IPv6 interface is open to the Internet via that address. – safesploit Sep 16 '18 at 15:20
  • Every answer makes sense. Thank you for your answer safesploit.. – user306993 Sep 16 '18 at 15:51
  • 1
    Link local IPv6 addresses are only valid inside the local network (strictly broadcast domain). If you see an address starting `fe80` on a public website then something is broken. Therefore this isn’t an answer to the original question. See https://en.m.wikipedia.org/wiki/Link-local_address – David Sep 16 '18 at 21:05