IPv6 and Privacy Concerns
IPv6, with all its valuable features such as large public address space, end of network broadcasts, end of NAT problems like IP-SEC, SIP, ... blocages, brought a new concern : privacy.
As each computer is no longer hidden behind the NATed public IP, it appears naked on the network, using a its own public IP.
The IPv6 address may be automatically generated using the network prefix in combination with the EUI-64IEEE interface identifier (MAC address) of the physical network interface. So the outside world sees exactly WHICH COMPUTER
on the ' no more private ' network made the connection.
Moreover, as it's the EUI-64 MAC address that is used, and is world unique, a mobile user can be tracked, while going from network to network, from home to workplace, from public wifi open spot to public wifi open spot.
To address these concerns, Microsoft implemented 2 actions, that are often confused by the public.
Temporary IPv6 Address
First, beside the regular 2001: Global Unicast Address, another one is created, dubbed Temporary IPv6 Address on the Ipconfig result. This address is random, and used for outgoing connections.
The point is to have a fixed, static IPv6 address reachabled from the outside for server or personal use, while the Temporary IPv6 address is random, everchanging, and used for outgoing connections.
This temporary address is randomly Re-generated at each reboot, each IPv6 stack off/on cycle, or each reach of the time limit set.
To see the state of the IPv6 Temporary Addressing : netsh int ipv6 show privacy
To toogle the state of the IPv6 Temporary Addressing : netsh int ipv6 set privacy state=enable ( disable )
The two other addresses ( regular 2001: Global Unicast Address and FE80: Link local address ) use EUI-64 MAC generation. they simply take the MAC address, slice it in the middle, insert ff:fe in the middle, flip the 7th bit of the result, and add the network prefix.
Exemple for the MAC Address : 11-22-33-44-55-66
Slice : 11-22-33 44-55-66
Insert : 11-22-33-ff-fe-44-55-66
Flip : 13-22-33-ff-fe-44-55-66
Add prefix : [ Network Prefix ]:1322:33ff:fe44:5566
You can see how easy it is to track a Computer, and to guess its MAC Address.
To address this concern there is RFC 4941, which replaces this EUI-64 MACderived Host Address with a Random derived Host Address. RFC 4941 recommends not to turn this on by default, but Microsoft does so on Windows Client OS.
To see the RFC 4941 state : netsh int ipv6 show global
and check for the ' randomizeidentifiers ' state
To set the RFC 4941 state : netsh int ipv6 set global randomizeidentifiers=enable ( disable )
How often is the randomized value changed is not clear, as well as how to toggle a new randomization.
Notice that if this value does change, it may disrupt server functions and from-outside reachability, thus forcing to
disable RFC 4941.
You can now experiment, and play around with these settings