| 1 |
On Thursday 09 Jun 2011 16:51:29 Paul Hartman wrote: |
| 2 |
> On Thu, Jun 9, 2011 at 12:46 AM, Mick <michaelkintzios@×××××.com> wrote: |
| 3 |
> >> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 |
| 4 |
> >> addresses, it's generally advised to disable that. You can do that by |
| 5 |
> >> running this at administrator cmd prompt: |
| 6 |
> >> netsh interface ipv6 set global randomizeidentifiers=disabled |
| 7 |
> > |
| 8 |
> > I was looking at the same in the Linux kernel scratching my head if I |
| 9 |
> > should enable this or not ... |
| 10 |
> > |
| 11 |
> > What does it do - not sure I understand what such temporary addresses are |
| 12 |
> > used for: |
| 13 |
> > ============================================ |
| 14 |
> > IPv6: Privacy Extensions (RFC 3041) support |
| 15 |
> |
| 16 |
> > CONFIG_IPV6_PRIVACY: |
| 17 |
> Sorry, I described the problem poorly. More specifically I should have |
| 18 |
> said that it should be disabled because Windows does it /wrong/. :) |
| 19 |
> |
| 20 |
> In IPv6, link-local address is required (begins with fe80::) even when |
| 21 |
> an internet-routable address exists. It is derived from your network |
| 22 |
> prefix and your MAC address. Normally, the public IPv6 address also |
| 23 |
> contains your MAC address. Every IPv6 interface is going to have at |
| 24 |
> least 2 different addresses. |
| 25 |
> |
| 26 |
> Imagine a world where IPv6 is everywhere. You take your laptop home, |
| 27 |
> to the cafe, to work, to a hotel on a business trip. Despite using |
| 28 |
> different networks in each place, your MAC address will tie them all |
| 29 |
> together. The governments and corporations are tracking this and now |
| 30 |
> know even more about you. At least, that's what people worry about. |
| 31 |
> |
| 32 |
> In Linux, enabling the privacy extensions adds an additional, |
| 33 |
> temporary IPv6 address to the interface, with a randomized "MAC" part, |
| 34 |
> and it changes regularly (every hour or two? something like that). The |
| 35 |
> link-local address still contains the MAC-based IPv6 address, and the |
| 36 |
> standard routable IPv6 address is also available but not used by |
| 37 |
> default for outgoing connections. So, inside your network, things are |
| 38 |
> predictable and unchanging, which makes management of clients, routing |
| 39 |
> of traffic, firewall rules, etc. easier to deal with. To the outside |
| 40 |
> world, your IP address is constantly changing and can't be used to |
| 41 |
> track you as easily as it would be if the MAC portion of the address |
| 42 |
> were consistent. |
| 43 |
> |
| 44 |
> In Windows, however, when that option is enabled, they wrongly |
| 45 |
> randomize ALL of the addresses, even the local, rather than just |
| 46 |
> creating a temp random public address. Which means every time that |
| 47 |
> machine reboots it's going to look like a new client on the local |
| 48 |
> network, and any local network setup you have pertaining to a certain |
| 49 |
> IP are going to be a pain to maintain. Depending on your usage, maybe |
| 50 |
> that doesn't matter, but in general, on Windows machines, it's |
| 51 |
> considered a buggy implementation and is undesired. |
| 52 |
> |
| 53 |
> In Linux, it should be absolutely fine to use. In your |
| 54 |
> /etc/sysctl.conf you can add these lines to enable it on every |
| 55 |
> interface by default, assuming you enabled in your kernel config: |
| 56 |
> |
| 57 |
> net.ipv6.conf.all.use_tempaddr = 2 |
| 58 |
> net.ipv6.conf.default.use_tempaddr = 2 |
| 59 |
|
| 60 |
Excellent explanation! Thank you. :-) |
| 61 |
|
| 62 |
Now was it that difficult to add a couple of meaningful lines in the kernel |
| 63 |
documentation, so that any other than the kernel hacker who wrote that module |
| 64 |
would learn that its there to anonymise your ipv6 address for privacy |
| 65 |
purposes? |
| 66 |
|
| 67 |
I take it that loading this module would cut both ways. If I were to allow |
| 68 |
connections to my server only for *my* IP address, then that would be quite |
| 69 |
difficult to achieve if my IP address changed every few minutes. |
| 70 |
-- |
| 71 |
Regards, |
| 72 |
Mick |
Archives