EUI-64

The 64-bit Extended Unique Identifier (EUI-64) is a special address format that maps device hardware network addresses into IPv6 addresses. This method makes use of IPv6’s spacious 128-bit addresses to simplify the process of generating IPv6 addresses. 

EUI-64 is a very simple and practical technique that has been used for decades to get devices on the Internet without the need for manual configuration or even the use of DHCP. However, it has recently fallen out of favor, and some widely used operating systems, such as Microsoft Windows, have stopped using it by default. 

What’s the deal with EUI-64? Let’s find out.

Summary of EUI-64 key concepts

Here’s a brief summary of the most important concepts and areas of discussion in this article.

{{banner-13="/design/banners"}}

Address mapping: IPv6 address space flexibility pays off

When IPv6 was developed, the decision to expand addresses from 32 bits all the way to 128 bits was a somewhat controversial one. At the time, some people thought this was overkill because 2¹²⁸ is such an enormous number that it seemed wasteful to have to deal with such large addresses when, perhaps, 64 bits would have sufficed. However, one of the benefits of having so many bits in addresses is that it provides flexibility to allow us to make more meaningful addresses.

IPv4 addresses traditionally have no relationship to their underlying hosts. This was necessary in part because most hardware devices have longer hardware addresses than the IPv4 address space: The most common hardware addresses are IEEE 802 MAC addresses, which are 48 bits in length, while IPv4 addresses, of course, are 32 bits long.

With IPv6, we have 128 bits at our disposal; these are normally split into 64 bits to represent the network prefix (for global routing) and 64 bits for the local identifier. It is thus easy to use those 64 local bits to map the hardware address directly into an IPv6 address. This can then be combined with the 64-bit network portion of the address and used for various purposes, such as Stateless Address Auto-Configuration (SLAAC).

Understanding EUI-64

While it is possible to map many different hardware addresses to IPv6 addresses, as mentioned earlier, IEEE 802 MAC addresses are by far the most commonly used. These 48-bit addresses are used by Ethernet (IEEE 802.3), Wi-Fi (IEEE 802.11), and Bluetooth (IEEE 802.15), which are the most popular wired, wireless, and personal area networking technologies, respectively.

The 48 bits of a MAC address are split into two blocks of 24 bits each. The first (leftmost) 24 bits are a block called the Organizationally Unique Identifier (OUI), which is a fancy name for a company ID corresponding to a hardware device manufacturer. The second 24 bits (rightmost) are then used to create unique addresses for each specific device made by the manufacturer. 

Each company that creates hardware devices will normally assign them addresses that begin with its OUI and then have unique serial numbers in the lower 24 bits. This means you can tell which company made a hardware device by looking at its MAC address.

IEEE, which defines MAC addresses, also defined a larger address format called the 64-bit extended unique identifier (EUI-64). This is like the 48-bit MAC format we all know and love, but with 16 extra bits added to the device-specific part of the address. The idea here was to provide 65,536 times more device addresses for large companies that make so many devices that 24 bits wasn’t enough (the limit there is about 16 million devices).

The form of EUI-64 used in IPv6 is actually more properly called modified EUI-64. The “modification” is to change the 7^th bit from the left from 0 to 1. This modification was specified in RFC 4291, IP Version 6 Addressing Architecture, and was intended to make the administration of certain types of hardware devices and connections easier.

Note that despite the fact that IPv6 uses a “modified” EUI-64, it is rarely called that in practice; everyone just uses the term “EUI-64” by itself.

How EUI-64 address mapping works

Even though the IEEE defined extended 64-bit hardware addresses—the “unmodified” EUI-64—most devices continue to use 48-bit addresses. Accordingly, it’s necessary to define a mapping from 48-bit MAC addresses to (modified) EUI-64. Of course, as part of this, it’s necessary to determine what to do with the extra 16 bits that are in the EUI-64 address but not the 48-bit MAC address.

This mapping is done by following a simple three-step process:

1. Split the 48-bit MAC address: Put the 24-bit OUI (the left half of the MAC address) into the leftmost 24 bits of the EUI-64 address and the 24-bit local identifier (the right half of the MAC address) into the rightmost 24 bits of the EUI-64 address.
2. Fill the middle 16 bits: Insert the value “11111111 11111110” (“FFFE” in hexadecimal) into the middle 16 bits of the EUI-64 address that weren’t filled in using bits from the MAC address.
3. Modify the EUI-64 address: Change bit 7 from the left from 0 to 1 to give the modified EUI-64 address.

This is easier to see with an example, so let’s convert the IEEE 802 MAC address 39-A7-94-07-CB-D0, as illustrated in the figure below (example and figure from The TCP/IP Guide and used with permission). Here are the three steps:

1. Split the 48-bit MAC address: We take the first 24 bits of the identifier (“39-A7-94”) and put it into the first (leftmost) 24 bits of the address. The local portion of “07-CB-D0” becomes the last 24 bits of the identifier.
2. Fill the middle 16 bits: We insert “11111111 11111110” (“FFFE” in hex) into the 16 bits between the two 24-bit values we just filled in.
3. Modify the EUI-64 address: We change bit 7 from 0 to 1. This changes the first octet of the address from 00111001 (39 in hex) to 00111011 (3B in hex).

The (modified) EUI-64 identifier thus becomes 3B-A7-94-FF-FE-07-CB-D0, or 3BA7:94FF:FE07:CBD0 in IPv6 colon hexadecimal notation. This becomes the rightmost 64 bits of the device’s IPv6 address, with the leftmost 64 bits the network identifier.

{{banner-9="/design/banners"}}

How EUI-64 Is Used in IPv6

Now that we have seen how EUI-64 mapping works, let’s pause for a bit of a recap and see how the various pieces fit together in IPv6:

• The leftmost 64 bits of the address come from the network prefix, which defines the network portion of the address.
• The MAC address comes from the hardware device.
• EUI-64 is used to map the MAC address into a 64-bit EUI-64 interface identifier.
• The network prefix and interface identifier are concatenated to make the final (global unicast) IPv6 address.
• This address can then be used by a device to access both local networks and the global Internet.

The interface identifier created via the EUI-64 process serves as the device-unique portion of the address. It is used to differentiate individual devices or interfaces within the same network or subnet.

Real-world example of EUI-64 configuration

Let’s take a look at how EUI-64 actually operates on a real device.  We’ll examine two particular cases that we often see on Cisco IOS devices.  

Generating a link-local IPv6 address

The first scenario involves generating a link-local IPv6 address on the interface of a Cisco router. Remember that the link-local IPv6 address is an IPv6 address that is automatically generated and assigned to an active IPv6 interface. Link-local addresses, as the name suggests, have only local significance, so they are never routed. Link-local addresses are of the form FE80::/10.

On a Cisco IOS device, as soon as you enable the IPv6 capability on an interface, the device will automatically generate a link-local address using the EUI-64 process by default. Take a look at this series of commands and their results.

R1#show ipv6 interface  brief
GigabitEthernet0/0     [administratively down/down]
    unassigned
GigabitEthernet0/1     [administratively down/down]
    unassigned
R1#

Initially, you can see that all IPv6 capabilities and both router interfaces are disabled.  Let’s take a look at the MAC address of GigabitEthernet0/0:

R1#show interfaces gigabitEthernet 0/1
GigabitEthernet0/1 is administratively down, line protocol is down 
Hardware is iGbE, address is 5254.001c.e726 (bia 5254.001c.e726)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
!<-- output omitted -->

The MAC address is 52:54:00:1C:E7:26. Now, let’s enable IPv6 on the GigabitEthernet0/0 interface and bring up the interface without assigning any IPv6 address:

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ipv6 enable 
R1(config-if)#no shutdown
R1(config-if)#
*Mar 21 11:00:41.592: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Mar 21 11:00:42.592: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#exit
R1#

The interface is now IPv6 enabled and active. Let’s see what link-local address has been assigned:

R1#show ipv6 interface gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::5054:FF:FE1C:E726 
  No Virtual link-local address(es):
  !<-- output omitted -->
R1#

The link-local address is FE80::5054:FF:FE1C:E726. If you do the math, you’ll see that this is the result of applying EUI-64 to a link-local prefix of FE80::/10 with the MAC address of the GigabitEthernet0/0 interface.

If you don’t want to use the EUI-64 method, you can always statically assign a link-local IPv6 address using the following syntax:

R1#configure terminal
R1(config)#inter gig 0/0
R1(config-if)#ipv6 address FE80::1 link-local 
R1(config-if)#exit
R1(config)#exit
R1#

{{banner-10="/design/banners"}}

Generating a Global Unicast IPv6 address

Now let’s create a global unicast IPv6 address on this interface using the EUI-64 process. Unlike the link-local IPv6 address, the global unicast address is a routable address and is assigned based on the defined IPv6 prefix for that particular interface.

For our configuration, we’ll be assigning the prefix 2001:ABCD:1234:5678::/64 to the interface, and we'll be instructing it to use the EUI-64 method to assign the specific IPv6 address for that interface.  This is achieved using the following commands:

R1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface gigabitEthernet 0/0
R1(config-if)#ipv6 address 2001:ABCD:1234:5678::/64 eui-64 
R1(config-if)#exit
R1(config)#exit

The eui-64 keyword tells the device to use this method to determine the IPv6 address. Let’s see what the resulting IPv6 global unicast address has become:

R1#show ipv6 interface brief gigabitEthernet 0/0
GigabitEthernet0/0     [up/up]
    FE80::1
    2001:ABCD:1234:5678:5054:FF:FE1C:E726
R1#

Note that the link-local address that we previously manually assigned appears in the output of the IPv6 information of this interface.

The resulting IPv6 global unicast address has become:

2001:ABCD:1234:5678:5054:FF:FE1C:E726

Once again, if you do the math, you can see that if you apply the EUI-64 process to the 2001:ABCD:1234:5678::/64 prefix along with the MAC address of the particular interface, the result is the IPv6 address shown above.

Advantages and disadvantages of EUI-64

The benefits of EUI-64 generally relate to practical considerations: simplicity and administrative efficiency. More specifically, having device hardware addresses and IPv6 addresses directly linked provides value in the following areas:

• Support for autoconfiguration: It is easy to generate an appropriate globally routable local address from any hardware device using its hardware address and a process such as SLAAC.
• Address harmonization: Administrators no longer must keep track of two separate, unrelated addresses for each device.
• Troubleshooting: When troubleshooting devices, administrators must often switch back and forth between working with IP addresses and hardware addresses. Using EUI-64 makes this simpler because seeing the IP address of a device indicates immediately what the MAC address is and vice versa.

One disadvantage of EUI-64 is that tying the hardware address to the IP address means that if the hardware address changes, the IP address needs to change as well. In practice, this is a relatively minor consideration most of the time because hardware doesn’t change that often—this is something that typically occurs in the scope of years, not hours or days.

The bigger concerns with EUI-64 are those old bugbears that administrators know too well: privacy and security. 

EUI-64 privacy and security issues

To understand the issue here, it’s necessary to first have a small digression into network design philosophy. One of the fundamentals of network design is the use of layers, which allow different technologies to interoperate while hiding unnecessary details that would cause complications in the implementation of each technology. One important facet of this is that “detail hiding” using layers also enhances security and privacy.

Linking hardware device addresses to IP addresses offers practical benefits, as explained above. However, it violates one of the tenets of layer design, which is that an address in one layer (the hardware address) should not be tied to the addresses at another (the IP address). This represents a form of information sharing that can be problematic in our modern world of hackers and trackers.

More specifically, being able to tell the hardware address of a device from its IP address is a convenience for administrators, but this same information is available to everyone else as well. IP addresses are used on the global Internet, which means that if you are using EUI-64, every request to every online resource or service is telling that resource or service what your hardware device address is. 

Now consider how many of the devices we use these days are mobile. If the IP address is always generated based on the hardware device, and the hardware device address doesn’t change, it becomes possible to keep track of the device as it moves from one network to another, representing a clear privacy concern. Specific scenarios have been identified by security analysts that would allow a mobile device to be tied back to a home network and tracked as it moves around.

In addition to this issue, there’s further information revealed by the hardware address that gets put out over the Internet when EUI-64 is used. As discussed earlier, the first 24 bits of the hardware address are the organizationally unique identifier, or OUI. The OUIs of all device manufacturers are recorded in a public database, which means that using EUI-64 tells everyone on the Internet which company’s hardware you are using. While this may not be an issue most of the time, there are situations where it could be very problematic to advertise what hardware you are using. For example, if there’s a known exploit for a particular hardware manufacturer or model, this could make you a target for attacks.

Current status of EUI-64

Unfortunately, EUI-64 is another technology that falls into the ever-expanding category of “good ideas ruined by bad actors.” It has a number of benefits that we explained above, but as originally defined, it introduces risks and concerns significant enough to outweigh the benefits in many cases.

The security risks that EUI-64 introduces stem from the fact that the unique MAC address of a device can be easily derived from the IPv6 address assigned to it.  Malicious users can use this fact to perform many of the following attacks:

• Device tracking: Because the MAC address is unique to each device, incorporating it into the IPv6 address makes it easier to track specific devices as they move between networks, especially mobile devices such as laptops, smartphones or tablets.
• Privacy leakage: The use of a consistent, unique identifier in the IPv6 address can reveal information about a user's device, such as make, model, and even approximate date of manufacture, which can potentially expose the user to targeted attacks.
• Predictable addresses: Because EUI-64 generated addresses are predictable, the use of this technique can simplify the scanning and targeting of specific devices on a network by an attacker.

Because of these potential security risks, the use of EUI-64 has become less popular in recent years in favor of different approaches and alternate methods. Leading hardware manufacturer Cisco still uses it by default for link-local addresses, as does MacOS. However, many other hardware and software companies have changed tactics to one or more of the approaches outlined below.

One alternative approach is simply to stop using EUI-64 and just use a random number for the 64-bit device-specific portion of the IPv6 address. This sort of “brute-force” solution solves the privacy/security issues with EUI-64, but, of course, comes at the cost of no longer having any of its advantages. This is the method that Microsoft Windows uses; due to the prevalence of that operating system family, this means that a large percentage of devices online no longer use EUI-64.

The Internet Engineering Task Force (IETF), which defines the “RFC” standards that govern the Internet Protocol and other Internet technologies, actually recognized the potential concerns with EUI-64 many years ago. RFC 4941, Privacy Extensions for Stateless Address Autoconfiguration in IPv6, is a standard defining a method for avoiding the privacy concerns when using SLAAC in IPv6. In simple terms, it also uses random identifiers that change periodically to avoid the potential concerns of having a static IPv6 address tied to a specific hardware device.

Conclusion

In this article, we looked at the 64-bit Extended Unique Identifier (EUI-64), a special format that converts common device hardware addresses—such as those used in Ethernet and Wi-Fi—into IPv6 addresses. This simple method has been used for years to make IP address generation simple and enhance the maintainability of networks. We looked at how EUI-64 mapping works, both in theory and using a real-world example.

Unfortunately, bad actors have found ways to create privacy and security problems when hardware and IPv6 addresses are closely matched. As a result, many systems have moved away from using EUI-64 over the last few years, though it can still be useful in some implementations and is still important for any network administrator to understand.