1 |
On Thu, Jun 9, 2011 at 12:46 AM, Mick <michaelkintzios@×××××.com> wrote: |
2 |
>> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 |
3 |
>> addresses, it's generally advised to disable that. You can do that by |
4 |
>> running this at administrator cmd prompt: |
5 |
>> netsh interface ipv6 set global randomizeidentifiers=disabled |
6 |
> |
7 |
> I was looking at the same in the Linux kernel scratching my head if I should |
8 |
> enable this or not ... |
9 |
> |
10 |
> What does it do - not sure I understand what such temporary addresses are used |
11 |
> for: |
12 |
> ============================================ |
13 |
> IPv6: Privacy Extensions (RFC 3041) support |
14 |
> |
15 |
> CONFIG_IPV6_PRIVACY: |
16 |
|
17 |
Sorry, I described the problem poorly. More specifically I should have |
18 |
said that it should be disabled because Windows does it /wrong/. :) |
19 |
|
20 |
In IPv6, link-local address is required (begins with fe80::) even when |
21 |
an internet-routable address exists. It is derived from your network |
22 |
prefix and your MAC address. Normally, the public IPv6 address also |
23 |
contains your MAC address. Every IPv6 interface is going to have at |
24 |
least 2 different addresses. |
25 |
|
26 |
Imagine a world where IPv6 is everywhere. You take your laptop home, |
27 |
to the cafe, to work, to a hotel on a business trip. Despite using |
28 |
different networks in each place, your MAC address will tie them all |
29 |
together. The governments and corporations are tracking this and now |
30 |
know even more about you. At least, that's what people worry about. |
31 |
|
32 |
In Linux, enabling the privacy extensions adds an additional, |
33 |
temporary IPv6 address to the interface, with a randomized "MAC" part, |
34 |
and it changes regularly (every hour or two? something like that). The |
35 |
link-local address still contains the MAC-based IPv6 address, and the |
36 |
standard routable IPv6 address is also available but not used by |
37 |
default for outgoing connections. So, inside your network, things are |
38 |
predictable and unchanging, which makes management of clients, routing |
39 |
of traffic, firewall rules, etc. easier to deal with. To the outside |
40 |
world, your IP address is constantly changing and can't be used to |
41 |
track you as easily as it would be if the MAC portion of the address |
42 |
were consistent. |
43 |
|
44 |
In Windows, however, when that option is enabled, they wrongly |
45 |
randomize ALL of the addresses, even the local, rather than just |
46 |
creating a temp random public address. Which means every time that |
47 |
machine reboots it's going to look like a new client on the local |
48 |
network, and any local network setup you have pertaining to a certain |
49 |
IP are going to be a pain to maintain. Depending on your usage, maybe |
50 |
that doesn't matter, but in general, on Windows machines, it's |
51 |
considered a buggy implementation and is undesired. |
52 |
|
53 |
In Linux, it should be absolutely fine to use. In your |
54 |
/etc/sysctl.conf you can add these lines to enable it on every |
55 |
interface by default, assuming you enabled in your kernel config: |
56 |
|
57 |
net.ipv6.conf.all.use_tempaddr = 2 |
58 |
net.ipv6.conf.default.use_tempaddr = 2 |