0

Given that commands like ifconfig or ip address don't require root privileges, apps can access information about ip address. If you use ipv4, you are normally behind NAT and apps would get an address in the 192.168... range, which is not very valuable.

But one of the points about ipv6 is the absence of NAT. I imagine that when browsing the web, web applications don't have access to your file system, except the portions used by the browser.

But what if you run a non web application, it would still be able to get your real ipv6 address since it runs on your system.

Is this the case? And if so, how to protect against leaking?

Edit: I already run untrusted apps in a VM to sandbox, spoof strings etc. But IPv6 address still gives me away.

If I use NAT for IPv6 in a VM, it still allows for fingerprinting as not many people use NAT for IPv6.

One option is to disable it. I'm asking this question exactly to find out if it can be used safely. The IPv6 adoption rate is through the roof and we've already run out of Ipv4 addresses. Sure there's still ways to get it, but I imagine that in a few years there may be only IPv6 addresses available at your ISP. So yeah it's gonna be a ubiquitous technology that I'd like to use with VPN.

Edit 2: Okay, NAT6 is not much of a fingerprint since apps have much better ways to tag you. On a private network where you will use VPN, using NAT6 makes sense even though you lose the benefits of not using NAT.

lolz
  • 11
  • 3
  • This is basically asking, "can a binary gather local info about a system and send it somewhere?" and the answer is "of course". And many actually do. But that's no longer a "leak". – schroeder Jul 02 '22 at 21:29
  • @schroeder Yes, you are right. The point I was making is that you can normally configure tunneling of the entire traffic on your system through a VPN, and the apps that run on your system as non root are unaware of that. But if you configure tunneling for ipv6, non root apps will still be able to get the real ip address. – lolz Jul 02 '22 at 23:18
  • @schroeder Any ideas how to counteract it? – lolz Jul 02 '22 at 23:54
  • @lolz: If you let untrusted code run without further separation (like a browser offers) this is exactly what you get. And getting access to the IP address is likely the smallest problem then - because you trust the program to do arbitrary code execution on your system. If you want to protect against this you have to somehow sandbox the code, like running it inside a virtual machine which then can also NAT IPv6 or simply disable it. – Steffen Ullrich Jul 03 '22 at 02:09
  • I'm not sure what your threat model is here or what you want to prevent or hide your IP from. If you run a non-web application, it can get your IPv6 address as well as a ton of other identifying info from your machine. If you don't want that, then you run it in a sandbox or virtual bubble. – schroeder Jul 03 '22 at 07:34
  • 1
    I'm not sure what you are trying to prevent. First you asked about leaking the IPv6 - with no context given why do you care about this (not even an appropriate tag). Then you asked about fingerprinting the device due to using NAT with IPv6. If this question is about privacy then a) please say so b) set the appropriate tags and c) have a look at IPv6 privacy extensions. These are enabled by default in many OS and cause a regular change of the IPv6 used, i.e. they are explicitly designed to protect against long term fingerprinting of a device based on IP. – Steffen Ullrich Jul 03 '22 at 13:46
  • And if you care about non-browser apps detecting that they run on the same device - they could simply write a unique ID to a file on start and read this file on each new start to use the same "device ID". And browsers can achieve the same with cookies or local storage. No access to the IP address needed. – Steffen Ullrich Jul 03 '22 at 13:52
  • @SteffenUllrich The context is that I want to tunnel my traffic through a VPN, but untrusted apps can still get my ipv6 address. I want to mitigate this. Yes, if I use ipv4, untrusted apps can just tag me, but they won't be able to get my external ip and thus location, ISP etc. – lolz Jul 03 '22 at 14:01
  • *"but untrusted apps can still get my ipv6 address. I want to mitigate this."* - this by itself is not an information security problem but a purely technical requirement, i.e. off-topic. And this specific requirement is solved when using NAT as I recommended. If there is an underlying security problem then please describe this in your question. – Steffen Ullrich Jul 03 '22 at 14:04
  • @SteffenUllrich IPv6 privacy extensions are about not using MAC address for autoconfiguration and regenerating ipv6 address once in a while. Mb I've missed something. Ok I see, given that apps can tag me, they have a better way to fingerprint than getting NAT'd IPv6 address. – lolz Jul 03 '22 at 14:15
  • @SteffenUllrich Okay, link local address is not a concern since we are not talking local network. Global address is still generated by appending a unique identifier to the network prefix. So it still gives away your ISP, location etc and thus doesn't address the issue. As you said NAT would do the job. I was just wondering if there's a way to have both the benefits of not using NAT and privacy (when tunneling through a VPN). Apparently not. – lolz Jul 03 '22 at 14:32
  • *"and thus doesn't address the issue"* - which issue? You did not describe any security issue so far but only asked for hiding the IPv6 for an unspecific reason. – Steffen Ullrich Jul 03 '22 at 14:42
  • @SteffenUllrich I have added the privacy tag. It's a privacy issue. The reason to hide IPv6 address is that non trusted apps can get it from your system. Which is a problem if you tunnel everything through a VPN and expect to have your IP address hidden. – lolz Jul 03 '22 at 14:43
  • @lolz: *"if you tunnel everything through a VPN and expect to have your IP address hidden"* - then you have the wrong understanding of VPN. VPN ensures that **remote** server you are accessing does not get your real IP from the established network connection. VPN does not provide anything regarding running untrusted **local** code, not does it do anything against transporting the real IP address inside the application payload (like with WebRTC). – Steffen Ullrich Jul 03 '22 at 14:55
  • @SteffenUllrich Yes. But let's think IPv4. Since it's normally behind NAT, your machine on the LAN is not aware of the external IP address that can be used to identify you in real life. So if an app gets the IP address of your machine it will be useless. By default IPv6 doesn't use NAT as a feature, so an app can get your real IP address. – lolz Jul 03 '22 at 14:59
  • If you want to use IPv6 and you don't want to expose the public IPv6 prefix, then you obviously have to use some local IPv6 prefix for your VM different from the public one - and then somehow translate between these two prefixes. This can be done with some form of NAT or some application level proxy. – Steffen Ullrich Jul 03 '22 at 15:05
  • @SteffenUllrich Okay, I've updated the question. Thanks for the convo! I'll look into application level proxy as an option. – lolz Jul 03 '22 at 15:18

1 Answers1

0

That's the case. You have these options

  • Don't run applications locally
  • Run them in a virtual machine
  • Disable IPv6 completely
Artem S. Tashkinov
  • 1,389
  • 5
  • 13
  • Thanks for your answer. I already run them in a VM so that untrusted apps can't finger print real hardware etc. But yeah ipv6 stays real. I'll try NAT for ipv6 which feels a bit retarded, and it also leaves a big finger fingerprint as not many people use NAT for it... So yeah maybe the best option is disabling it completely... – lolz Jul 03 '22 at 12:17