Follow the Scent: Defeating IPv6 Prefix Rotation Privacy

TL;DR

This paper reveals how legacy IPv6 addressing schemes embedded in edge routers undermine privacy mechanisms like prefix rotation, enabling large-scale tracking of IPv6 clients through active probing and measurement campaigns.

Contribution

It uncovers the widespread presence of legacy IPv6 address schemes that compromise privacy, develops measurement techniques to exploit this, and demonstrates large-scale tracking of IPv6 clients.

Findings

Over 9 million affected edge routers identified

Approximately 13,000 prefixes using prefix rotation discovered

Ability to remotely track IPv6 client address movements demonstrated

Abstract

IPv6's large address space allows ample freedom for choosing and assigning addresses. To improve client privacy and resist IP-based tracking, standardized techniques leverage this large address space, including privacy extensions and provider prefix rotation. Ephemeral and dynamic IPv6 addresses confound not only tracking and traffic correlation attempts, but also traditional network measurements, logging, and defense mechanisms. We show that the intended anti-tracking capability of these widely deployed mechanisms is unwittingly subverted by edge routers using legacy IPv6 addressing schemes that embed unique identifiers. We develop measurement techniques that exploit these legacy devices to make tracking such moving IPv6 clients feasible by combining intelligent search space reduction with modern high-speed active probing. Via an Internet-wide measurement campaign, we discover more than 9M affected edge routers and approximately 13k /48 prefixes employing prefix rotation in hundreds of ASes worldwide. We mount a six-week campaign to characterize the size and dynamics of these deployed IPv6 rotation pools, and demonstrate via a case study the ability to remotely track client address movements over time. We responsibly disclosed our findings to equipment manufacturers, at least one of which subsequently changed their default addressing logic.