[184338] in North American Network Operators' Group
Re: Question re session hijacking in dual stack environments w/MacOS
daemon@ATHENA.MIT.EDU (Mark Andrews)
Fri Oct 2 04:17:03 2015
X-Original-To: nanog@nanog.org
To: Valdis.Kletnieks@vt.edu
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Fri, 02 Oct 2015 03:46:40 -0400."
<132752.1443772000@turing-police.cc.vt.edu>
Date: Fri, 02 Oct 2015 18:16:54 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
In message <132752.1443772000@turing-police.cc.vt.edu>, Valdis.Kletnieks@vt.edu
writes:
> On Fri, 02 Oct 2015 00:46:47 -0500, Doug McIntyre said:
>
> > I suspect this is OSX implementing IPv6 Privacy Extensions. Where OSX
> > generates a new random IPv6 address, applies it to the interface, and then
> > drops the old IPv6 addresses as they stale out. Sessions in use or not.
>
> Isn't the OS supposed to wait for the last user of the old address to close
> their socket before dropping it?
Bowser talks to server with temp address 1. Sockets close. New
temp address generated. User click submit. New temp address used.
It is stupid web site design to assume that addresses will be stable
even within a session.
> > sudo sysctl -w net.inet6.ip6.use_tempaddr=0
> >
> > sudo sh -c 'echo net.inet6.ip6.use_tempaddr=0 >> /etc/sysctl.conf'
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
