1 |
On Thursday 09 Jun 2011 16:51:29 Paul Hartman wrote: |
2 |
> On Thu, Jun 9, 2011 at 12:46 AM, Mick <michaelkintzios@×××××.com> wrote: |
3 |
> >> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 |
4 |
> >> addresses, it's generally advised to disable that. You can do that by |
5 |
> >> running this at administrator cmd prompt: |
6 |
> >> netsh interface ipv6 set global randomizeidentifiers=disabled |
7 |
> > |
8 |
> > I was looking at the same in the Linux kernel scratching my head if I |
9 |
> > should enable this or not ... |
10 |
> > |
11 |
> > What does it do - not sure I understand what such temporary addresses are |
12 |
> > used for: |
13 |
> > ============================================ |
14 |
> > IPv6: Privacy Extensions (RFC 3041) support |
15 |
> |
16 |
> > CONFIG_IPV6_PRIVACY: |
17 |
> Sorry, I described the problem poorly. More specifically I should have |
18 |
> said that it should be disabled because Windows does it /wrong/. :) |
19 |
> |
20 |
> In IPv6, link-local address is required (begins with fe80::) even when |
21 |
> an internet-routable address exists. It is derived from your network |
22 |
> prefix and your MAC address. Normally, the public IPv6 address also |
23 |
> contains your MAC address. Every IPv6 interface is going to have at |
24 |
> least 2 different addresses. |
25 |
> |
26 |
> Imagine a world where IPv6 is everywhere. You take your laptop home, |
27 |
> to the cafe, to work, to a hotel on a business trip. Despite using |
28 |
> different networks in each place, your MAC address will tie them all |
29 |
> together. The governments and corporations are tracking this and now |
30 |
> know even more about you. At least, that's what people worry about. |
31 |
> |
32 |
> In Linux, enabling the privacy extensions adds an additional, |
33 |
> temporary IPv6 address to the interface, with a randomized "MAC" part, |
34 |
> and it changes regularly (every hour or two? something like that). The |
35 |
> link-local address still contains the MAC-based IPv6 address, and the |
36 |
> standard routable IPv6 address is also available but not used by |
37 |
> default for outgoing connections. So, inside your network, things are |
38 |
> predictable and unchanging, which makes management of clients, routing |
39 |
> of traffic, firewall rules, etc. easier to deal with. To the outside |
40 |
> world, your IP address is constantly changing and can't be used to |
41 |
> track you as easily as it would be if the MAC portion of the address |
42 |
> were consistent. |
43 |
> |
44 |
> In Windows, however, when that option is enabled, they wrongly |
45 |
> randomize ALL of the addresses, even the local, rather than just |
46 |
> creating a temp random public address. Which means every time that |
47 |
> machine reboots it's going to look like a new client on the local |
48 |
> network, and any local network setup you have pertaining to a certain |
49 |
> IP are going to be a pain to maintain. Depending on your usage, maybe |
50 |
> that doesn't matter, but in general, on Windows machines, it's |
51 |
> considered a buggy implementation and is undesired. |
52 |
> |
53 |
> In Linux, it should be absolutely fine to use. In your |
54 |
> /etc/sysctl.conf you can add these lines to enable it on every |
55 |
> interface by default, assuming you enabled in your kernel config: |
56 |
> |
57 |
> net.ipv6.conf.all.use_tempaddr = 2 |
58 |
> net.ipv6.conf.default.use_tempaddr = 2 |
59 |
|
60 |
Excellent explanation! Thank you. :-) |
61 |
|
62 |
Now was it that difficult to add a couple of meaningful lines in the kernel |
63 |
documentation, so that any other than the kernel hacker who wrote that module |
64 |
would learn that its there to anonymise your ipv6 address for privacy |
65 |
purposes? |
66 |
|
67 |
I take it that loading this module would cut both ways. If I were to allow |
68 |
connections to my server only for *my* IP address, then that would be quite |
69 |
difficult to achieve if my IP address changed every few minutes. |
70 |
-- |
71 |
Regards, |
72 |
Mick |