This post contains the report from the study phase of the behaviour of various operating systems during SLAAC and DAD analysis for our paper called “A New Approach for Detection of Host Identity in IPv6 Networks”, which will be presented at DCNET 2013. This post also contains PCAP files that we believe may be useful for other researchers or engineers. In this post, we call RFC4941 as PE addresses and addresses used by windows with randomly generated interface identifier (IID) are called random addresses, even though the random part of the address is generated just once. The credit for most of the work goes to Martin Holkovič.
Monitoring network
We tested the operating systems on virtual machines in VMware Workstation 7.1., the network cards of the virtual machines were operating in Host-Only mode. You can see the topology on the following image: 
Additionally, Cisco 3725 router was connected to the topology: 
Performed tests
Selection of a new address
- The router is connected to the network and the tested interface is down on the tested OS
- The tested interface is enabled and consequently, the OS generates a new address
Does the tested computer reply to DAD-NS (EUI-64, static, random, PE address)?
- The router, the tested computer and a virtual PC with Ubuntu are present in the tested network.
- The tested address (EUI-64, static, random, PE) is set on the Ubuntu computer, consequently Ubuntu issues DAD and the tested OS should reply with the NA.
Does the tested computer use duplicate EUI-64 address?
- The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
- The tested system is configured to generate EUI-64 if necessary.
- Ubuntu is set up to use the same MAC address as the tested computer has.
- The tested interface is enabled, the OS generates the same address as the Ubuntu computer already has. Ubuntu replies with NA.
Does the tested computer use duplicate global EUI-64 address?
- Only the systems with EUI-64 addresses enabled by default were tested
- The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
- Ubuntu is set up to use the same IPv6 address as the tested computer would use as EUI-64 address.
- The tested interface is enabled, the OS generates the same address as the Ubuntu computer already has. Ubuntu replies with NA.
Does the tested computer use duplicate random address?
- Only the systems with random addresses enabled by default were tested (newer Windows).
- The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
- Ubuntu is set up to use the same IPv6 address as the tested computer would use as random address (the IID is generated once and then it stays constant).
- The tested interface is enabled, the OS generates the same address as the Ubuntu computer already has. Ubuntu replies with NA.
Does the tested computer use duplicate PE address?
- PE addresses are enabled on the tested OS.
- The router, the tested computer and a virtual PC with Ubuntu are present in the tested network. The tested interface is down.
- A script that replies with NA to all PE addresses is started on the computer with Ubuntu. The script does not reply to EUI-64 (link-local, global) a random addresses used by the tested Windows computers.
- The tested interface is enabled, the OS generates PE address and the script replies with NA.
Captured PCAP files
During the test, we captured various PCAP files that can be downloaded used for your analysis. We have also analysed the PCAP files, see the following section and the publications below.
- POLČÁK Libor, HOLKOVIČ Martin a MATOUŠEK Petr. A New Approach for Detection of Host Identity in IPv6 Networks. In: Proceedings of the 4th International Conference on Data Communication Networking, 10th International Conference on e-Business and 4th International Conference on Optical Communication Systems. Reykjavík: SciTePress – Science and Technology Publications, 2013, pp. 57-63. ISBN 978-989-8565-72-3.
- POLČÁK Libor, HOLKOVIČ Martin and MATOUŠEK Petr. Host Identity Detection in IPv6 Networks. In: E-Business and Telecommunications. Berlin: Springer Verlag, 2014, pp. 74-89. ISBN 978-3-662-44787-1. ISSN 1865-0929. (This is an extended version of the previous paper.)
- POLČÁK, Libor. Lawful Interception: Identity Detection. Brno, 2017. PhD. Thesis. Brno University of Technology, Faculty of Information Technology. 2017-10-13. Supervisor Švéda Miroslav.
Test results
The tests result are presented in the following table
| Name | Version | Kernel | Uses PE addresses by default | Does the tested computer reply to DAD-NS (static address)? | The tested computer does not use duplicate static address | EUI-64 replies to DAD / does not use duplicate address | Does not use duplicate EUI-64 global address in case of PE are turned on | Random addresses replies to DAD / does not use duplicate address | privacy extension adresy replies to DAD / does not use duplicate address / Number of attempts |
|---|---|---|---|---|---|---|---|---|---|
| CentOS | 6.2 | 2.6.32 | No | Yes | Yes | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| Debian | 3.1 | 2.4.27 | No | Yes | was not tested | Yes / Yes | -2 | - | -2 |
| Debian | 6.0.4 | 2.6.32 | No | Yes | Yes | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| Fedora | 16 | 3.1.0 | No | Yes | Yes | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| FreeBSD | 9.0 | - | No | Yes | Yes, tested on 9.1 | Yes5 / Yes | Yes 3 | -1 | Yes / Yes / 1 4 |
| Linux Mint | 12 | 3.0.0 | No | Yes | Yes | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| Mac OS X | 10.6.2 | 10.2 | No | Yes | - | Yes / Yes | Yes 3 | -1 | Yes / Yes / 1 4 |
| Mandriva | One 2011 | 2.6.38 | No | Yes | was not tested | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| OpenBSD | 5.0 | - | No | Yes | Yes | Yes / Yes | Yes 3 | -1 | Yes / Yes / 1 4 |
| Red Hat | 5 | 2.6.18 | No | Yes | was not tested | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| Solaris | 5.11 | - | No | 6 | Yes | Yes / Yes | Yes 3 | -1 | Yes / Yes / 5 |
| Ubuntu | 10.04 LTS | 2.6.32 | No | Yes | was not tested | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| Ubuntu | 11.10 | 3.0.0 | No | Yes | was not tested | Yes / Yes | Yes | -1 | Yes / Yes / 5 |
| Windows 7 | - | 6.1 | Yes | Yes | Yes | Yes5 / Yes | Yes | Yes / Yes | Yes / Yes / 7 |
| Windows 7 | SP1 | 6.1 | Yes | Yes | was not tested | Yes5 / Yes | Yes | Yes / Yes | Yes / Yes / 7 |
| Windows 8 | consumer preview | 6.2 | Yes | Yes | Yes | Yes5 / Yes | Yes | Yes / Yes | Yes / Yes / 7 |
| Windows Server 2008 R2 | SP1 | 6.1 | No | Yes | was not tested | Yes5 / Yes | Yes | Yes / Yes | Yes / Yes / 7 |
| Windows Vista | - | 6.0 | Yes | Yes | was not tested | Yes5 / Yes | Yes | Yes / Yes | Yes / Yes / 7 |
| Windows Vista | SP2 | 6.0 | Yes | Yes | was not tested | Yes5 / Yes | Yes | Yes / Yes | Yes / Yes / 7 |
| Windows XP | SP3 | 5.1 | No | Yes | Yes | Yes / Yes | Yes | -1 | Yes / Yes / 7 |
Notes to the tests
- 1.Random addresses:
- They are only supported on Windows Vista and newer.
- 2. Privacy extension addresses:
- PE was not configured
- 3. EUI-64 global addresses – reaction to duplicate address:
- Tested OS keeps the address but it is marked as duplicate and it is not used by the OS (e.g. DAD, ping)
- 4. Privacy extension addresses – reaction to duplicate address:
- Only one PE is tried, it is kept after DAD but it is marked as duplicate and it is not used by the OS (e.g. DAD, ping)
- 5. EUI-64 – reaction to DAD:
- Marked systems ignore DAD from the same MAC address as is used by the system.
- 6. Solaris – static address:
- Static address was not tested because it was not used by the system.