What is EUI-64 and How is it Generated?

Introduction

EUI-64 (Extended Unique Identifier-64) is a method used to automatically generate IPv6 interface identifiers from a network device's MAC address. This technique was designed to simplify IPv6 address configuration by leveraging the unique hardware identifier already present in every network interface card. While elegant in concept, EUI-64 has become controversial due to significant privacy implications, leading to the development of alternative addressing methods.

Understanding EUI-64: Definition and Purpose

EUI-64 is a standardized method for creating 64-bit interface identifiers from 48-bit MAC addresses. In IPv6, addresses are 128 bits long, divided into two parts:

• The first 64 bits: network prefix (identifies the network)
• The last 64 bits: interface identifier (identifies the specific device)

The primary purpose of EUI-64 was to enable Stateless Address Autoconfiguration (SLAAC), allowing devices to automatically configure their own IPv6 addresses without requiring a DHCP server. By deriving the interface identifier from the MAC address, every device could generate a unique, globally routable IPv6 address with minimal configuration.

Benefits of EUI-64

The EUI-64 approach offered several advantages:

• Administrative Efficiency: Eliminates manual IPv6 address assignment
• Simplicity: Automatic address generation requires no additional infrastructure
• Uniqueness: MAC addresses are globally unique, ensuring no address conflicts
• Ease of Troubleshooting: Network administrators can identify devices by recognizing their MAC address within the IPv6 address

The Modified EUI-64 Generation Process

The actual format used in IPv6 is called Modified EUI-64, involving three specific steps to transform a 48-bit MAC address into a 64-bit interface identifier.

Step 1: Split the MAC Address

A MAC address consists of 48 bits (6 bytes), typically written in hexadecimal format separated by colons or hyphens:

Example MAC Address: FC-99-47-75-CE-E0

The MAC address is divided into two 24-bit segments:

• OUI (Organizationally Unique Identifier): First 24 bits (FC-99-47)
• Device Identifier: Last 24 bits (75-CE-E0)

Step 2: Insert FFFE in the Middle

To expand the 48-bit MAC address to 64 bits, the hexadecimal value FFFE (16 bits) is inserted between the two 24-bit segments:

Original MAC:    FC-99-47       75-CE-E0
After Insertion: FC-99-47-FF-FE-75-CE-E0

This distinctive FFFE pattern serves as a clear indicator that an IPv6 address was generated using EUI-64.

Step 3: Flip the Universal/Local (U/L) Bit

The seventh bit from the left (the U/L bit in the first byte) is inverted:

• If the bit is 0, change it to 1
• If the bit is 1, change it to 0

This bit flip changes the meaning from "locally administered" to "globally unique" (or vice versa).

For our example:

First Byte: FC (binary: 11111100)
Flip bit 7:     (binary: 11111110)
Result: FE (hexadecimal)

The final modified EUI-64 becomes: FE99:47FF:FE75:CEE0

Complete Step-by-Step Example

Let's walk through a complete example with MAC address 39-A7-94-07-CB-D0:

Detailed Calculation:

Original MAC Address:

39-A7-94-07-CB-D0

Step 1 - Split into two parts:

Left 24 bits:  39-A7-94
Right 24 bits: 07-CB-D0

Step 2 - Insert FFFE:

39-A7-94-FF-FE-07-CB-D0

Step 3 - Flip bit 7 of first byte:

First byte: 39 (hex) = 00111001 (binary)
Flip bit 7:            00111011 (binary)
Result: 3B (hex)

Final Modified EUI-64 Interface Identifier:

3BA7:94FF:FE07:CBD0

Creating the Complete IPv6 Address

If the network prefix is 2001:db8:1234:5678::/64, the complete IPv6 address becomes:

Network Prefix:    2001:0db8:1234:5678
Interface ID:      3ba7:94ff:fe07:cbd0
Complete Address:  2001:0db8:1234:5678:3ba7:94ff:fe07:cbd0

Understanding the U/L Bit Flip

The universal/local bit flip might seem counterintuitive, but it serves an important purpose:

• In MAC addresses: U/L bit = 0 means globally unique (manufacturer-assigned)
• In EUI-64: U/L bit = 1 means globally unique

The bit flip ensures that the vast majority of commercially produced network cards (which have globally unique MAC addresses with U/L=0) will result in EUI-64 addresses with U/L=1, properly indicating their global uniqueness.

Privacy Concerns and Implications

While technically elegant, EUI-64 introduces severe privacy vulnerabilities that have led to its decline in popularity.

The Tracking Problem

Because MAC addresses are permanent hardware identifiers, EUI-64-generated IPv6 addresses remain constant regardless of which network the device connects to. This creates a persistent fingerprint that enables:

• Device Tracking: Monitor a device's movement across networks (home, work, coffee shops, airports)
• Behavior Correlation: Link activities across different networks to a single device
• Identity Disclosure: Potentially connect an IPv6 address to a specific individual
• Manufacturer Identification: The OUI portion reveals the network card manufacturer

Real-World Privacy Scenario

Consider a laptop using EUI-64:

At Home:     2001:db8:aaaa:1111:3ba7:94ff:fe07:cbd0
At Work:     2607:f8b0:bbbb:2222:3ba7:94ff:fe07:cbd0
At Café:     2001:470:cccc:3333:3ba7:94ff:fe07:cbd0

Despite changing networks (different prefixes), the interface identifier 3ba7:94ff:fe07:cbd0 remains identical, allowing third parties to track the device's location and activities across all three networks.

Household Privacy Vulnerability

A critical flaw: a single device using EUI-64 can compromise the privacy of an entire household. Even if all other devices use privacy extensions, network observers can correlate traffic from one EUI-64 device to identify when other "anonymous" devices belong to the same household.

Privacy Extensions: The RFC 4941 Solution

To address these privacy concerns, RFC 4941 (later updated by RFC 8981) introduced IPv6 Privacy Extensions.

How Privacy Extensions Work

Instead of deriving the interface identifier from the MAC address, privacy extensions:

1. Generate Random Interface IDs: Create cryptographically random 64-bit identifiers
2. Rotate Regularly: Change addresses periodically (typically every few hours to days)
3. Use Multiple Addresses: Devices maintain both stable and temporary addresses simultaneously
4. Prefer Temporary for Outbound: Use temporary addresses for outgoing connections

Example of Privacy Extension Addresses

A device using privacy extensions might have:

Stable address:    2001:db8:1234:5678:a5b3:22c1:d8e9:4f12 (for incoming connections)
Temporary address: 2001:db8:1234:5678:e8d1:9a72:3bc4:5e6f (for outbound, changes hourly)

Operating System Adoption

Most modern operating systems now prefer privacy extensions:

• Windows: Enabled by default since Windows 7
• Linux: Most distributions enable privacy extensions by default
• Android: Uses privacy extensions
• iOS/macOS: Uses privacy extensions and additional randomization

When is EUI-64 Still Used?

Despite privacy concerns, EUI-64 remains in use for specific scenarios:

1. Link-Local Addresses

Link-local addresses (fe80::/10) frequently use EUI-64 because:

• They are not routable beyond the local network segment
• Privacy concerns are minimal for non-routable addresses
• Automatic generation simplifies network operations

Example link-local address:

fe80::3ba7:94ff:fe07:cbd0

2. Cisco Network Equipment

Cisco routers and switches use EUI-64 by default for:

• Link-local addresses
• Manual interface configuration when using the eui-64 keyword
• Legacy configurations

3. MacOS Devices

Apple macOS continues to generate EUI-64-based addresses for certain interfaces, though it also uses privacy extensions for outgoing connections.

4. IoT and Embedded Devices

Many Internet of Things (IoT) devices and embedded systems use EUI-64 because:

• Simpler implementation (no need for random number generation)
• Lower computational overhead
• Devices often remain stationary and privacy is less critical

5. Manual Configuration on Routers

Network administrators may explicitly configure EUI-64 on router interfaces for consistency and easier troubleshooting.

Modern Alternatives to EUI-64

RFC 7217: Stable Privacy Addresses

RFC 7217 provides a middle ground between EUI-64 and random privacy extensions:

• Generates stable addresses using a cryptographic hash
• Includes network prefix, interface identifier, and a secret key
• Remains constant within a network but changes between networks
• Prevents tracking while maintaining address stability

DHCPv6

Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides centralized address assignment:

• Administrator controls address assignment
• Easier to manage in enterprise environments
• Can implement privacy policies centrally

Random Static Addresses

Some systems generate truly random interface identifiers during installation that remain static throughout the device's lifetime, providing uniqueness without exposing hardware addresses.

Verifying Your IPv6 Address Type

To check whether your device is using EUI-64 or privacy extensions, visit test-ipv6.run and examine your detected IPv6 address.

How to Identify EUI-64 Addresses

Look for the telltale FFFE pattern in the middle of the interface identifier (the last 64 bits):

2001:0db8:1234:5678:3ba7:94ff:fe07:cbd0
                    └───────┬──────────┘
                      Contains FFFE = EUI-64

How to Check on Your Computer

Linux/macOS:

ifconfig | grep inet6
ip addr show | grep inet6

Windows:

ipconfig
netsh interface ipv6 show addresses

Look at your global IPv6 addresses:

• If they contain ff:fe in the interface ID → likely EUI-64
• If they appear random and change periodically → privacy extensions
• If they're stable but don't match your MAC → RFC 7217 or DHCPv6

Conclusion

EUI-64 represents an elegant solution to IPv6 address autoconfiguration that, unfortunately, conflicts with modern privacy expectations. While it successfully achieves automatic address generation and global uniqueness, the persistent exposure of hardware identifiers creates unacceptable tracking risks for end users.

The networking industry has largely moved away from EUI-64 for general-purpose devices, embracing privacy extensions and stable privacy addresses instead. However, EUI-64 remains relevant for infrastructure devices, link-local addresses, and legacy systems where privacy is less critical or the benefits of simplicity outweigh privacy concerns.

Understanding EUI-64 remains important for network administrators and security professionals, as it's still encountered in:

• Troubleshooting network connectivity issues
• Analyzing network traffic
• Configuring enterprise network equipment
• Understanding legacy IPv6 implementations

For personal devices, users should ensure their operating systems use privacy extensions by default. You can verify your current IPv6 configuration and test your connectivity at test-ipv6.run, which provides comprehensive IPv6 connectivity testing and helps identify potential privacy issues in your network configuration.

Further Reading

• RFC 4291: IPv6 Addressing Architecture
• RFC 4862: IPv6 Stateless Address Autoconfiguration (SLAAC)
• RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration (obsoleted)
• RFC 8981: Temporary Address Extensions for Stateless Address Autoconfiguration (current)
• RFC 7217: A Method for Generating Semantically Opaque Interface Identifiers with IPv6 SLAAC