IPv6’s Unintended Fingerprints: Extracting Insights from EUI-64

The default method of Stateless Address Autoconfiguration (SLAAC) in IPv6 is EUI-64, which generates the Interface Identifier (the last 64 bits of an address) using a device’s MAC address. This approach results in a consistent Interface Identifier across different networks, allowing devices,and by extension their users, to be tracked.

To mitigate this privacy risk, Privacy Extensions have been introduced to randomize the Interface Identifier. However, like many technologies on the internet, adoption is inconsistent, and many devices continue to use EUI-64, either exclusively or alongside Privacy Extensions.

While earlier research has highlighted the privacy and security issues of EUI-64, little work has been done to understand the scale of its continued use or to explore the potential value of the exposed MAC addresses. This study investigates what types of devices still use EUI-64-derived addresses and what information can be extracted from them.

We examine EUI-64 usage across three environments: the local IoT Lab, our university network, and the national research and education network (NREN) SURF. In the IoT Lab, we actively scanned for IPv6-capable devices using addresses we generated from their MACs. At the university, we analysed historical snapshots of router NDP tables. From SURF, we obtained EUI-64 suffixes from flow-level data.

After extracting MAC addresses from the EUI-64 IPv6 addresses, we identified the associated manufacturers and examined how MAC addresses are structured. Using clustering algorithms like DBSCAN and statistical measures such as entropy, we discovered that some vendors, such as TP-Link, appear to generate MAC addresses in predictable sequences, suggesting sequential assignment practices.

Our findings demonstrate that it is possible to detect patterns in MAC addresses by analysing EUI-64 IPv6 addresses. These patterns can potentially be used to accelerate the discovery of similar devices on the IPv6 side of the Internet, offering new opportunities for measurement and classification but also underscoring the importance of privacy-preserving address configuration.