On Geekiness and the Perils of Bemoaning Stupidity

17 02 2011

I would like to highlight a discussion in the RedZone forums because it leads to some interesting speculations and reveals the lack of technical knowledge in the RedZone community. The subject is “Static IP .. need to know more, please”. Before I start, I should say this post is geeky and anyone choosing to ignore it will not have missed much!

Cole Cybertar said in that discussion: “Now if something started recording MAC addresses then there would be an issue.” What he meant is that it is his belief that a MAC address is private, and its use in a detection system would be a privacy issue, whereas the use of IP addresses, in his opinion, is not. zFire agreed with a telling comment on 10th February:

I have not researched MAC Addresses.

Now if zFire would like to know more about MAC addresses, he need but ask. I won’t bore my readers with all the details now, but MAC addresses are used to communicate between devices on a single network link. They are usually tied to the hardware of your interface and often you can use the top 3 bytes of the address (less two bits) to identify a hardware manufacturer. So yes, they give away a little more than IP addresses in terms of hardware, but as they have no network structure, they give away less in terms of location. All that is moot of course, because a spyware operation based on hijacked GET requests has no way to access your MAC address. Your address is not on any packet beyond your router, and the MAC address on the frame that zFire receieves will be the MAC address of his router. So he cannot harvest these.

We have seen that Linden Labs do harvest this information in the authentication packet your SL client uses to connect to their service, and they do use this information to identify alts (it is much better than IP addresses for this purpose, although not perfect). They can do this because the client specifically packages up and sends them the information, and this is ok because Linden Labs are up front about the data collection and we agreed to it. It is also okay because Linden Labs use it for administration of their service, and do not share it with third parties.

But zFire, who has not researched MAC addresses enough to know any of this, cannot collect the data.

That is… until we move to version 6 of the Internet Protocol (IPv6).

And here, we cue crackerjack for this absolutely wonderful explanation of IPv6 in the same forum thread:

with the phasing out of ipv4 and the bringing in of ipv6, devices such as redzone should be more accurate since every interface will have a unique routable ip address, now NAT routing will no longer present a problem, for example – to save ip addresses the router was configured so that machines behind it would have a local ip address and the router would interface the internet on behalf of all the machines behind it. Somework would be required to show that two avatars were not a single rl person but two people. With ipv6 that would not be a problem since ipv6 would come with its own security and there will be no need for a router, just a network switch so the problem would boil down to a single computer and whether for example two avatars from the very same computer represented one or two rl people

Whilst this is nearly all nonsense, I was particularly tickled by “there will be no need for a router”. [0]

Again I have to resist the temptation to bore my readers with lots of irrelevant detail. But in short – IPv6 will continue to need just as many routers as IPv4.

His attempted clarification only further muddied the waters:

i believe under ipv6 both the router information and the originating computers information get passed along and that the originating computer will have an address that can be determined, so under ipv4 you would route information to the router that hides the local adress but under ipv6 i think the originating computers address is given too unless i am badly mistaken, this implies also that you dont route under ipv4 or have a ipv6 translator to deal with ipv4 requests and will be probably something that becomes more relevent after 2012

What I think crackerjack was trying to say was that we will not need to share IP addresses using network address translation devices (NAT) in IPv6. I think he has some idea that all routers are NATs, or maybe that there are no other routers other than his home NAT. Either way it is nonsense.

His argument that we don’t need NATs is, however, correct because the 128 bit address space is so astoundingly huge that, by my calculation, we could number every single network device on a global Internet 100 times larger than ours on every likely inhabitable world in the entire universe![1] So he is indeed right that we no longer need to recycle and aggregate addresses.

Thus indeed Network Address Translators will be a thing of the past (unless the world is filled with clueless media people who argue that a NAT is a security device. Hopefully reason will prevail though[2]). Every interface on every device connecting to the Internet will be able to have its own IP address. And on that crackerjack is correct, if somewhat confused.

Here is the problem: The global unicast addresses in IPv6 are designed with the enormous address space, 64 bits of interface id, to allow interface autoconfiguration. This highly attractive feature of IPv6 will allow devices to essentially choose their own IPv6 addresses, within a set structure. How do they do it?

Structure of a Globbal Unicast IPv6 Address

The default mechanism is to create a 64 bit EUI-64 global identifier based on – you guessed it – the 48 bit MAC address!

Creating an EUI-64 from an IEEE MAC-48

Yes, that is right! IPv6 addresses will, by default, include your MAC address.

Just to remind you: Cole Cybertar said in that discussion:

Now if something started recording MAC addresses then there would be an issue.

I guess even the redzoneophiles realise now that we have an issue.

Of course, IPv6 will also make RedZone spyware trivially easy to avoid. I can reconfigure my hostid how I like. I do not need to settle for the EUI-64 interface id. With 2^64 IP addresses to choose from, I could have a new IP address every minute for the next 35,000,000,000,000 years without recycling any. I would like to see zFire match my alt from that![3]

All this is moot though. I doubt that the RedZone database even has the data structures to handle IPv6 addresses, and at present people using IPv6 are tunnelling to his server through IPv4, and are thus another source of IP aggregation. That is, they keep matching each other in that brain dead database.


[0] I only quote crackerjack’s nonsense in full because he also said: “These are people who have no idea how their computer or the internet or second life actually works”. I just thought it an opportune moment to remind everyone that, in fact, crackerjack’s own knowledge of the Internet Protocols appears to be at the level of an interested user. There is nothing wrong with that. We cannot all be experts in these things, and it is no reflection on an individual if they have not studied the RFCs in depth! But two things I have learned are (1) Never underestimate your chosen out group. It is human nature to think your in group is more clever than your out group, but that human nature is not rational. (2) Never spout off on something you really do not understand – especially at the same time you are attempting to mock people for spouting off on things they do not understand. Oh and (3) Never trust me to stick to just two things!

Actually crackerjack went on: “… start telling the others they know about […] data protection law etc. then they go on to spout the most utter boulder dash you ever heard”. That would be “balderdash”[4], but as I think that was a jibe at me I would just make the point that it is a part of my RL work to know about and advise people in Data Protection Law.

Still crackerjack is venting though: “OK The anti redzone people are infact so stupid they have made me very nervous but only because i hadnt realised just how many truly uneducated morons “

I just want to take this point to make it quite plain that I am, in fact, an educated moron.

[1] I really have made this calculation. I have, of course, made some finger in the air guesses on number of inhabitable planets, loosely based on the current thoughts on this following the discovery of large numbers of exoplanets – but I think if anything I have overestimated the number of these. I will dig out the calculation if anyone is interested.

[2] One popular tech commentator argued in his IT Security podcast some years ago that NAT is a security device because it blocks out the home network. He is wrong though. NATs are typically implemented using stateful firewalls that do IP header rewriting. It is the stateful firewall that offers the protection to a network, not the header rewriting. Keep the firewall and dump the NAT.

[3] Put another way – given 1 /64 IP address range – the key to IPv6 autoconfiguration – I could set up a network of computers. If I kept the spacing between computers to about one meter, which is about as close together as people could comfortably sit at them to work, and I connected all these to a single router (because we cannot aggregate at less than a /64), then my network link would stretch roughly from my house to here:


The M25 – not the London orbital motorway, the other one – is about 2,000 light years away. Thus the network latency on my network would be about 4,000 years – plus a small processing latency at the router. I think this could make Second Life a little laggy, but I am willing to give it a try if anyone will donate me the computers.

[4] Balderdash: A word that was used in the tudor period to refer to a mixture of liquors that would not normally go together.




6 responses

17 02 2011
Jenni Darkwatch

Aside from the debate about NAT, a very enlightening article as usual πŸ™‚

Personally, I expect that ipv6 will not come to end users anytime soon. Few consumer-grade routers support it, and I doubt many people will upgrade either if the old one keeps working.

The big question will, in my entirely biased opinion, be what happens to privacy on the ‘net. Already most users have no clue about what information is and is not leaked about them on the Internet. Or more accurately, the world wide web.

I would hope against all hope that the average Internet user gets more protection rather than less, be it by various routing obfuscation techniques or by browser/email clients being less forthcoming about what info they do share.

As for RedZone: I still feel the only viable fix _has_ to come from LL or maybe TPV devs, by means of providing users with a warning whenever they connect to anyones media server. After all, RZ is not the only bad kid on the block. It’s just the one currently being crucified.

18 02 2011
Unya Tigerfish

And it’s the most vocal one with the most vocal followship. So a strike against redzone would show the smaller fish that their clocks are ticking as well. Maybe the disappearance of Redzone off the marketplace heralds a turn in the tides…

18 02 2011
Jenni Darkwatch

Certainly, yes. It might just push LL hard enough so they have to take action. Various possible solutions have been proposed already, and IMO quite a few of them would indeed kill off ZF and its ilk for good.

To be fair, I would certainly like to see better control for land owners as well. Give them access to applying blanket bans a la “Ban Jane Doe” with a checkbox “Machine ban” and/or “IP ban”.

21 02 2011
Boisterous Bolpoy

IPv6 is here, most consumer-level routers do support it — in fact, since Cisco-Linksys devices are based on Linux, most of the groundwork is already there. It’s the service providers that haven’t rolled it out yet.

In Europe and Asia-Pacific, IPv6 is here.

…and it’s true that IPv6 addresses *can be* based off of MAC addresses, but don’t have to be. In fact, by default Windows enables privacy extensions so that random IPv6 addresses are used that rotate randomly on a frequent basis. The IP address stuff that is used in RedZone largely becomes unusable, the only ability RZ has is to capture someone who logs on an alt during the lifetime of that privacy address.

As it exists, RZ will call someone who logged on from in 2009 and 2011 alts… the chance of that happening in IPv6 is far more remote and it simply won’t be able to anymore.

25 02 2011

Thanks for another informative post.

I am particularly pleased to know the origins of “balderdash”. Great stuff!

12 03 2011
John Doe

I also like to thank the author for a real amusing and technically profund elaboration on this matter.
I wasnt aware of this RZ-stuff right now and honestely i am not scared much by this bumbling approach of getting clues out of a cluttered collection of inaccurate data.
But i will follow up this thread cause of the quality of the discussion here – hard to find nowadays. Thanks again.

%d bloggers like this: