IPv6 address consists of 3 parts: Global Routing Prefix, Subnet ID and Interface ID. Interface ID identifies an interface of particular node and is unique within the subnet.
Two methods are used to auto-generate an Interface ID part of its IPv6 address on its own. These methods are:
- EUI-64 (Extended Unique Identifier 64-bit) – not recommended
- Interface Identifier – recommended
EUI-64 method is used to automatically generate unique 64-bit interface ID with usage of MAC address of device.
As seen on image below, we take OUI (Organizational Unique Identifier)¹ out of MAC address and add it to the start of Interface ID. We also flip the 7-th bit. Then we add FF FE section and as a last step, we add NIC part² of MAC address.
What’s wrong about it?
You may have already noticed that the whole concept behind this mechanism can be misused. L3 address contains the exact information about L2 address.
This creates an opportunity to track the device, because to whichever network it connects, the second half of IPv6 address it generates is always the same. The user cannot connect anonymously to any network if someone knows the EUI-64 interface identifier of his device. This can be easily exploited in many different ways, for example, websites and apps associating different IPv6 addresses to a particular device or user.
To address this and to help improve user’s privacy - Random Interface Identifiers were developed. When using Random Interface Identifiers, MAC address is not being used but instead, randomly generated hexadecimal string is utilized.
How to mitigate it?
We should always use Random Interface Identifiers (operating systems starting Windows Vista and later, and also Linux use this method). But on the other hand, there are (older) network devices from multiple vendors that are still using EUI-64. Network administrators should examine each IPv6 address on each Network Interface Card on each network device, that is under their control, to verify, that there is no single EUI-64 generated IPv6 address on network. In case that there is no Random Interface Identifier process available on exact device, you should configure static IPv6. For example, on Cisco devices, this is accomplished by following information below:
To enable automatic configuration of IPv6 addresses using stateless autoconfiguration on an interface and enable IPv6 processing on the interface, use the ipv6 address autoconfig command in interface configuration mode.
ipv6 address autoconfig
To remove the address from the interface, use the no form of this command.
no ipv6 address autoconfig
And then just configure static IPv6 address.
ipv6 address 2001:0BB9:AABB:1234:1111:2222:3333:4444/64
On any device, network administrator should follow guidelines from manufacturer.
EUI-64 is one of two methods used to auto-generate Interface ID part of IPv6 address. It is highly recommended not using this method, because it can be easily exploited in many different ways, for example, websites and apps associating different IPv6 addresses to a particular device or user. Random Interface Identifiers were developed to address problems with EUI-64. When the device does not support Random Interface Identifiers, static IPv6 address should be used.