0

First allow me to say I am only modestly experienced with IPv6. Be gentle.

We (my company) currently whitelists inbound client access based on IPv4 addresses/subnets before they even talk to our remote access/VPN server. But for our mobile clients, this means whitelisting entire ISP lease ranges and with our territories expanding, this practice is becoming increasingly less beneficial.

I am investigating the feasibility of transitioning our mobile clients to IPv6 and utilizing EUI-64/Interface ID as a possible whitelisting method. Since the EUI-64 is based on the hardware MAC address of the mobile broadband modem, I could, in theory, whitelist only the MACs we own - the attraction from a security perspective should be obvious.

However, it appears to me I have at least two hurdles to get over:

  1. EUI-64 based Interface ID doesn't look like it is the norm from what I can tell. Every leased IPv6 address I have looked at doesn't look like it is using EUI-64. I am not sure a mobile client can insist/rely upon a lease that utilizes the EUI-64 based Interface ID.
  2. Neither our current firewall (Cisco) nor any I have investigated appear to support partial/wildcard IPv6 matching. Not a show stopper. I will build my own router if I have to; providing item 1 doesn't make the endeavor moot.

My Questions:

  • Can mobile clients (Android, Windows) be configured such that they can rely upon receiving an IPv6 lease utilizing the EUI-64 based Interface ID or is this solely controlled by the DHCPv6 server?
  • Can a static IPv6 somehow be used for this purpose (tunneling?).
  • Is anyone aware of any vendors commercial hardware that allows IPv6 filtering (masking) upon just the Interface ID of an IPv6 address?
  • Does anyone have any experience with this that can provide insights?

Please only reply if on topic: IPv6 Interface ID whitelisting. I am not interested in alternative strategies at this time, thank you.

Frobozz
  • 163
  • 8
  • 3
    Whitelisting in general is not intended as a method to authenticate devices and is unsuitable for this purpose. This is just as true of IPv4 as it is of IPv6. Indeed, you don't whitelist devices on IPv4, but network locations. – Michael Hampton Jul 10 '19 at 16:23
  • GEOIp solution filtering for router exist, could you use that instead to atleast filter per country ? – yagmoth555 Jul 12 '19 at 14:44
  • Yes, I agree Whitelisting should never be used for any part of AAA. But it is an excellent prefilter that discourages probing and keeps my security logs a bit more manageable. It appears this approach is impractical because EUI-64 base interface IDs are a feature controlled at the ISPs DHCPv6 servers **AND** no broadband ISP is going to implement it because of privacy concerns. Thank you all for your input. – Frobozz Jul 12 '19 at 14:23

1 Answers1

3

No.

Mobile user experience is poor as they may not be able to control which ISP they have access to.

An IP address is not an authenticator by definitions like NIST sp800-63b. It is not a secret, nor is it in control of the user. The MAC address isn't even constant, it can be changed on Android (temporarily) without root.

Android is not interested in EUI-64, privacy extensions are always on.

Blacklist an entire network you never use? Log IP addresses as threat intelligence? Sure. But authorizing a user on their IP address doesn't make sense.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • I am attempting to be straightforward with the technical challenges. Honestly I would be interested to hear in how you propose to handle phones that roam between 4 ISPs (work, home, public wifi, VPN) let alone their constantly changing temporary IP addresses. – John Mahowald Jul 12 '19 at 13:50
  • Yes, actually. That is what I would like to know also - hence this post. – Frobozz Jul 12 '19 at 14:10