[184119] in North American Network Operators' Group
Re: Question re session hijacking in dual stack environments w/MacOS
daemon@ATHENA.MIT.EDU (Ca By)
Sat Sep 26 10:47:05 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17305EF20@dino.ad.hostasaurus.com>
Date: Sat, 26 Sep 2015 07:47:02 -0700
From: Ca By <cb.list6@gmail.com>
To: David Hubbard <dhubbard@dino.hostasaurus.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Saturday, September 26, 2015, David Hubbard <
dhubbard@dino.hostasaurus.com> wrote:
> Hey all, as we've slowly deployed IPv6 to our end users, it has begun to
> cause some issues for those on Mac's specifically. Apple apparently has
> an algorithm at some point in the network stack to decide whether IPv4
> or IPv6 is, perhaps, 'better' or 'faster' at any given point in time
> during an ongoing session. This allows a computer talking to a dual
> stack remote website to flip flop between v4 and v6 as activity is
> conducted.
>
> Websites that require some type of authentication that is handled via
> session cookies have been booting our users out randomly with "your ip
> address has changed" type message. This occurs when their Mac decides
> to switch between protocols because the site views it as a session
> hijacking attempt when Joe User with session ID xyz switches from
> 192.0.2.10 to 2001:db8::1:1:a or vice versa.
>
> Has anyone run into this? Our users on other platforms don't seem to
> have this issue; linux and MS desktops seem to just use v6 if it's
> available and v4 if not.
>
> Thanks,
>
> David
>
Info about Apple and their unique IPv6 selection process
https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html
