On 7/17/07, Simetrical Simetrical+wikilist@gmail.com wrote:

On 7/17/07, George Herbert george.herbert@gmail.com wrote:

...

Being able to block on IPv6 MAC address allows us to conveniently block a persistent vandals specific computer, even if they move it or change ISPs. Unless they're bright enough to mangle the MAC address...

You can be sure that ISPs like AOL aren't suddenly going to change their mind about this whole privacy business and start exposing to the public Internet IP addresses that can be pinned down to a single customer.

AOL is pretty much the tiny minority there; most ISPs baldly present the outside world either a DHCPed or static IP for the customer.

IPv6 will likely be similar; anyone not doing NAT or proxys right now probably won't start doing it later. And, unlike IPv4, the IPv6 addresses (if not NATed) will show us the MAC on the system involved...

This doesn't help ID the person (MAC tells you manufacturer, and sometimes model, but that's all). But it does help for blocking...

We'll have to maintain our existing mechanisms for AOL and other special cases, and anyone still using IPv4.

But it would behoove us to look to the future a bit and plan for taking advantage of it, if possible 8-)

Thomas Dalton wrote:

...

This doesn't help ID the person (MAC tells you manufacturer, and sometimes model, but that's all). But it does help for blocking...

It helps to confirm that two people are the same. While a checkuser that shows that two accounts are being used by people with the same ISP would at best be a "likely", a checkuser that shows two accounts are being accessed via the same network card would be a definite match (assuming the rest of the address rules out a public computer).

However, see RFC 3041, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6". If this is widely adopted, it will render MAC address blocking pointless.

-- Neil

Platonides wrote:

Thomas Dalton wrote:

...

...

This doesn't help ID the person (MAC tells you manufacturer, and sometimes model, but that's all). But it does help for blocking...

It helps to confirm that two people are the same. While a checkuser that shows that two accounts are being used by people with the same ISP would at best be a "likely", a checkuser that shows two accounts are being accessed via the same network card would be a definite match (assuming the rest of the address rules out a public computer).

On today's OS it's easy to change the PC's MAC. No doubt vandals will learn it fast. Even worse, if we treat as one-MAC one-user, and block by it, a vandal can vandalise with the mac of a legitimate user (one unlogged edition is enough to disclose it), which will found themselves blocked and appear as they were the vandal.

I'm not sure there's anything in the IPv6 specs to mandate the use of MAC addresses for assigning host parts: it's just one easy way to do it in a stateless way, but since it would expose the make and exact serial number of your network adapter (which is most likely built into your motherboard, these days), it's also a giant privacy hole.

I think ISPs are much more likely to allocate the host part of IPv6 addresses either dynamically (and to keep logs), or to allocate a single static IPv6 address per account.

Presumably, for a customer who wants to expose multiple IPv6 addresses, they would do something like allocate a /64 to each user, and let them pick their own host parts, perhaps using DHCPv6, which would then necessarily have anything to do with the actual MAC address of the hosts' own network adapters.

-- Neil