diff --git a/_posts/2015-06-22-ipv6.md b/_posts/2015-06-22-ipv6.md index 013c2af..ba9f007 100644 --- a/_posts/2015-06-22-ipv6.md +++ b/_posts/2015-06-22-ipv6.md @@ -37,22 +37,23 @@ connecting from single address and it can also increase latencies). ## IPv6 -IPv6 again is next version of the Internet Protocol and has enough +IPv6, again, is next version of the Internet Protocol and has enough addresses for all your devices and you don't need NAT anymore so you don't have to do port forwards (which didn't help you behind CGN anyway) anymore. People have weird worries with it and many misunderstandings on privacy concerns. -### SLAAC-addresses +### EUI-64-addresses -SLAAC-addresses are based on your MAC-address and a lot of people seem to -be worried about how they can be used for spying you across the network. +EUI-64-addresses are based on your MAC-address and a lot of people seem to +be worried about how they can be used for spying you as you go through +different networks (phone, laptop). -This is unrequired concern though as IPv6 privacy extensions should exist -with all IPv6 capable systems (again including Windows which seems to be -what people worry about the most). The privacy extensions generate random -IPv6 address which has no MAC-address and is changed over time. +This is an unrequired concern though as IPv6 privacy extensions should +exist with all IPv6 capable systems (again including Windows which seems +to be what people worry about the most). The privacy extensions generate +a random IPv6 address which has no MAC-address and is changed over time. Antergos and Ubuntu MATE (and other Linux distributions?) seem to change it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`) @@ -61,7 +62,7 @@ the system. On your IPv6-enabled system you should see three addresses: -* SLAAC-address where you see your MAC-address clearly, it just exists and +* EUI-64-address where you see your MAC-address clearly, it just exists and isn't used in outgoing connections so no one knows it unless you decide to tell them. * Privacy (extensions) address which is random and used for all outgoing @@ -75,19 +76,19 @@ On your IPv6-enabled system you should see three addresses: If you are still worried about the MAC-address being visible, you can easily confirm that no one sees it by going to [ipv6-test.com](http://ipv6-test.com), looking at "IPv6 connectivity" and -check the teset that says "SLAAC". If it says "No" your SLAAC-address +check the test that says "SLAAC". If it says "No" your EUI-64-address is not used, if it says "Yes" they are used and it should never say "Yes". -It probably tells you something that the test decreases points of your -IPv6 connectivity if you do use SLAAC address. +You will probably understand that it's not supposed to say "Yes" as getting +"Yes" in that test decreases your score. #### Windows IPv6 address randomization Windows which you shouldn't worry about makes you worry even less by being annoying and randomizing all addresses (even if there is no need because -you have IPv6 privacy extensions) and this probably causes you headache +you have IPv6 privacy extensions) and this probably causes you a headache if you are running Windows Server or dual-booting with some other OS. -When you dual-boot, you might wonder why even the SLAAC-address is +When you dual-boot, you might wonder why even the EUI-64-address is different on Windows and Linux/OS X/whatever. This is easy to fix though, open cmd.exe or PowerShell as admin and run: @@ -99,8 +100,8 @@ netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent ##### Disabling privacy extensions -**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS SERVER AND SHOULDN'T EVER -MOVE ANYWHERE. BY DOING THIS THE SLAAC-ADDRESS GETS USED AND EVERYONE DOES +**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE +MOVE ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES SEE YOUR MAC-ADDRESS.** As I am talking so much about privacy extensions, I must probably tell @@ -115,15 +116,15 @@ netsh interface ipv6 set privacy state=disabled store=active netsh interface ipv6 set privacy state=disabled store=persistent ``` -Linux: check NetworkManager or whatever you use config files -(or connection editor) or use the -kernel option directly in `/etc/sysctl.conf` or preferably -`/etc/sysctl.d/.conf`: `net.ipv6.conf.default.use_tempaddr=0`. +Linux: check NetworkManager connection editor (or config files of whatever +you use) or use the kernel option directly in `/etc/sysctl.conf` or +preferably `/etc/sysctl.d/.conf`: +`net.ipv6.conf.default.use_tempaddr=0`. The numbers you can use here are: * 0 — IPv6 Privacy Extensions are disabled. -* 1 — IPv6 Privacy Extensions are enabled, but **SLAAC-address is +* 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is preferred.** * 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually the default and what you should use. @@ -145,10 +146,13 @@ Finnish)… …but I can suggest searching the web for `yourISP IPv6` and contacting their customer support asking when they are going to enable IPv6. -For tunneling there are multiple services, but I am only going to mention -Teredo shortly, it's the protocol of last resolt for accessing IPv6 sites -and Windows comes with it by default. The easiest way to enable it is -probably saving the following as `something.reg` and running it: +For tunneling there are multiple services for tunneling and the best are +[SixXS] and [Tunnelbroker], but I am going to talk more about Teredo which +the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the +following as `something.reg` and running it: + +[SixXS]:https://www.sixxs.net/ +[Tunnelbroker]:https://tunnelbroker.net/ ``` Windows Registry Editor Version 5.00 @@ -167,7 +171,7 @@ Short explanation: * Enable Teredo… * …even if we are in domain * use teredo.trex.fi as Teredo server, you might want to use some server - that is more [near to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers). + that is [closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers). Linux: install package `miredo` and edit the server in `/etc/miredo.conf` if needed. @@ -182,5 +186,5 @@ least I think Google Chrome did so. * [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling) * [Microsoft Technet: A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx) * TL;DR: depending on how you disabled IPv6 your boot might be 5 - seconds lower and Microsoft discourages disabling it and they don't + seconds less and Microsoft discourages disabling it and they don't test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.