_posts/IPv6: many fixes
This commit is contained in:
parent
084269dcde
commit
d2a10634d6
|
|
@ -37,22 +37,23 @@ connecting from single address and it can also increase latencies).
|
|||
|
||||
## IPv6
|
||||
|
||||
IPv6 again is next version of the Internet Protocol and has enough
|
||||
IPv6, again, is next version of the Internet Protocol and has enough
|
||||
addresses for all your devices and you don't need NAT anymore so you don't
|
||||
have to do port forwards (which didn't help you behind CGN anyway) anymore.
|
||||
|
||||
People have weird worries with it and many misunderstandings on privacy
|
||||
concerns.
|
||||
|
||||
### SLAAC-addresses
|
||||
### EUI-64-addresses
|
||||
|
||||
SLAAC-addresses are based on your MAC-address and a lot of people seem to
|
||||
be worried about how they can be used for spying you across the network.
|
||||
EUI-64-addresses are based on your MAC-address and a lot of people seem to
|
||||
be worried about how they can be used for spying you as you go through
|
||||
different networks (phone, laptop).
|
||||
|
||||
This is unrequired concern though as IPv6 privacy extensions should exist
|
||||
with all IPv6 capable systems (again including Windows which seems to be
|
||||
what people worry about the most). The privacy extensions generate random
|
||||
IPv6 address which has no MAC-address and is changed over time.
|
||||
This is an unrequired concern though as IPv6 privacy extensions should
|
||||
exist with all IPv6 capable systems (again including Windows which seems
|
||||
to be what people worry about the most). The privacy extensions generate
|
||||
a random IPv6 address which has no MAC-address and is changed over time.
|
||||
|
||||
Antergos and Ubuntu MATE (and other Linux distributions?) seem to change
|
||||
it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`)
|
||||
|
|
@ -61,7 +62,7 @@ the system.
|
|||
|
||||
On your IPv6-enabled system you should see three addresses:
|
||||
|
||||
* SLAAC-address where you see your MAC-address clearly, it just exists and
|
||||
* EUI-64-address where you see your MAC-address clearly, it just exists and
|
||||
isn't used in outgoing connections so no one knows it unless you decide
|
||||
to tell them.
|
||||
* Privacy (extensions) address which is random and used for all outgoing
|
||||
|
|
@ -75,19 +76,19 @@ On your IPv6-enabled system you should see three addresses:
|
|||
If you are still worried about the MAC-address being visible, you can
|
||||
easily confirm that no one sees it by going to
|
||||
[ipv6-test.com](http://ipv6-test.com), looking at "IPv6 connectivity" and
|
||||
check the teset that says "SLAAC". If it says "No" your SLAAC-address
|
||||
check the test that says "SLAAC". If it says "No" your EUI-64-address
|
||||
is not used, if it says "Yes" they are used and it should never say "Yes".
|
||||
It probably tells you something that the test decreases points of your
|
||||
IPv6 connectivity if you do use SLAAC address.
|
||||
You will probably understand that it's not supposed to say "Yes" as getting
|
||||
"Yes" in that test decreases your score.
|
||||
|
||||
#### Windows IPv6 address randomization
|
||||
|
||||
Windows which you shouldn't worry about makes you worry even less by being
|
||||
annoying and randomizing all addresses (even if there is no need because
|
||||
you have IPv6 privacy extensions) and this probably causes you headache
|
||||
you have IPv6 privacy extensions) and this probably causes you a headache
|
||||
if you are running Windows Server or dual-booting with some other OS.
|
||||
|
||||
When you dual-boot, you might wonder why even the SLAAC-address is
|
||||
When you dual-boot, you might wonder why even the EUI-64-address is
|
||||
different on Windows and Linux/OS X/whatever.
|
||||
|
||||
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
|
||||
|
|
@ -99,8 +100,8 @@ netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
|
|||
|
||||
##### Disabling privacy extensions
|
||||
|
||||
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS SERVER AND SHOULDN'T EVER
|
||||
MOVE ANYWHERE. BY DOING THIS THE SLAAC-ADDRESS GETS USED AND EVERYONE DOES
|
||||
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE
|
||||
MOVE ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES
|
||||
SEE YOUR MAC-ADDRESS.**
|
||||
|
||||
As I am talking so much about privacy extensions, I must probably tell
|
||||
|
|
@ -115,15 +116,15 @@ netsh interface ipv6 set privacy state=disabled store=active
|
|||
netsh interface ipv6 set privacy state=disabled store=persistent
|
||||
```
|
||||
|
||||
Linux: check NetworkManager or whatever you use config files
|
||||
(or connection editor) or use the
|
||||
kernel option directly in `/etc/sysctl.conf` or preferably
|
||||
`/etc/sysctl.d/<whatever>.conf`: `net.ipv6.conf.default.use_tempaddr=0`.
|
||||
Linux: check NetworkManager connection editor (or config files of whatever
|
||||
you use) or use the kernel option directly in `/etc/sysctl.conf` or
|
||||
preferably `/etc/sysctl.d/<whatever>.conf`:
|
||||
`net.ipv6.conf.default.use_tempaddr=0`.
|
||||
|
||||
The numbers you can use here are:
|
||||
|
||||
* 0 — IPv6 Privacy Extensions are disabled.
|
||||
* 1 — IPv6 Privacy Extensions are enabled, but **SLAAC-address is
|
||||
* 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is
|
||||
preferred.**
|
||||
* 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually
|
||||
the default and what you should use.
|
||||
|
|
@ -145,10 +146,13 @@ Finnish)…
|
|||
…but I can suggest searching the web for `yourISP IPv6` and contacting
|
||||
their customer support asking when they are going to enable IPv6.
|
||||
|
||||
For tunneling there are multiple services, but I am only going to mention
|
||||
Teredo shortly, it's the protocol of last resolt for accessing IPv6 sites
|
||||
and Windows comes with it by default. The easiest way to enable it is
|
||||
probably saving the following as `something.reg` and running it:
|
||||
For tunneling there are multiple services for tunneling and the best are
|
||||
[SixXS] and [Tunnelbroker], but I am going to talk more about Teredo which
|
||||
the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the
|
||||
following as `something.reg` and running it:
|
||||
|
||||
[SixXS]:https://www.sixxs.net/
|
||||
[Tunnelbroker]:https://tunnelbroker.net/
|
||||
|
||||
```
|
||||
Windows Registry Editor Version 5.00
|
||||
|
|
@ -167,7 +171,7 @@ Short explanation:
|
|||
* Enable Teredo…
|
||||
* …even if we are in domain
|
||||
* use teredo.trex.fi as Teredo server, you might want to use some server
|
||||
that is more [near to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
|
||||
that is [closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
|
||||
|
||||
Linux: install package `miredo` and edit the server in `/etc/miredo.conf`
|
||||
if needed.
|
||||
|
|
@ -182,5 +186,5 @@ least I think Google Chrome did so.
|
|||
* [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
|
||||
* [Microsoft Technet: A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
|
||||
* TL;DR: depending on how you disabled IPv6 your boot might be 5
|
||||
seconds lower and Microsoft discourages disabling it and they don't
|
||||
seconds less and Microsoft discourages disabling it and they don't
|
||||
test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.
|
||||
|
|
|
|||
Loading…
Reference in New Issue