Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
24 mai 2013 5 24 /05 /mai /2013 10:38


IPv6 and Privacy Concerns



IPv6, with all its valuable features such as large public address space, end of network broadcasts, end of NAT problems like IP-SEC, SIP, ... blocages, brought a new concern : privacy.


As each computer is no longer hidden behind the NATed public IP, it appears naked on the network, using a its own public IP.


The IPv6 address may be automatically generated using the network prefix in combination with the EUI-64IEEE interface identifier (MAC address) of the physical network interface. So the outside world sees exactly WHICH COMPUTER

on the ' no more private ' network made the connection.


Moreover, as it's the EUI-64 MAC address that is used, and is world unique, a mobile user can be tracked, while going from network to network, from home to workplace, from public wifi open spot to public wifi open spot.



Privacy Extensions



To address these concerns, Microsoft implemented 2 actions, that are often confused by the public.



Temporary IPv6 Address



First, beside the regular 2001: Global Unicast Address, another one is created, dubbed Temporary IPv6 Address on the Ipconfig result. This address is random, and used for outgoing connections.


The point is to have a fixed, static IPv6 address reachabled from the outside for server or personal use, while the Temporary IPv6 address is random, everchanging, and used for outgoing connections.


This temporary address is randomly Re-generated at each reboot, each IPv6 stack off/on cycle, or each reach of the time limit set.


To see the state of the IPv6 Temporary Addressing : netsh int ipv6 show privacy


To toogle the state of the IPv6 Temporary Addressing : netsh int ipv6 set privacy state=enable          ( disable )



RFC 4941



The two other addresses ( regular 2001: Global Unicast Address and FE80: Link local address ) use EUI-64 MAC generation. they simply take the MAC address, slice it in the middle, insert ff:fe in the middle, flip the 7th bit of the result, and add the network prefix.


Exemple for the MAC Address : 11-22-33-44-55-66


Slice :                     11-22-33      44-55-66


Insert :                    11-22-33-ff-fe-44-55-66


Flip :                        13-22-33-ff-fe-44-55-66


Add prefix :             [ Network Prefix ]:1322:33ff:fe44:5566



You can see how easy it is to track a Computer, and to guess its MAC Address.


To address this concern there is RFC 4941, which replaces this EUI-64 MACderived Host Address with a Random derived Host Address. RFC 4941 recommends not to turn this on by default, but Microsoft does so on Windows Client OS.


To see the RFC 4941 state : netsh int ipv6 show global


and check for the ' randomizeidentifiers ' state


To set the RFC 4941 state : netsh int ipv6 set global randomizeidentifiers=enable          ( disable )



How often is the randomized value changed is not clear, as well as how to toggle a new randomization.

Notice that if this value does change, it may disrupt server functions and from-outside reachability, thus forcing to

disable RFC 4941.




You can now experiment, and play around with these settings

Partager cet article

Repost 0
Published by computer friendly - dans IPv6
commenter cet article



  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact