Mikaela
/
mikaela.github.io
mirror of https://github.com/mikaela/mikaela.github.io/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

_posts/IPv6: many fixes

This commit is contained in:
Aminda Suomalainen 2015-06-22 21:52:27 +03:00
parent 084269dcde
commit d2a10634d6
1 changed files with 31 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
_posts/2015-06-22-ipv6.md
View File

@ -37,22 +37,23 @@ connecting from single address and it can also increase latencies).
## IPv6 ## IPv6
IPv6 again is next version of the Internet Protocol and has enough IPv6, again, is next version of the Internet Protocol and has enough
addresses for all your devices and you don't need NAT anymore so you don't addresses for all your devices and you don't need NAT anymore so you don't
have to do port forwards (which didn't help you behind CGN anyway) anymore. have to do port forwards (which didn't help you behind CGN anyway) anymore.
People have weird worries with it and many misunderstandings on privacy People have weird worries with it and many misunderstandings on privacy
concerns. concerns.
### SLAAC-addresses ### EUI-64-addresses
SLAAC-addresses are based on your MAC-address and a lot of people seem to EUI-64-addresses are based on your MAC-address and a lot of people seem to
be worried about how they can be used for spying you across the network. be worried about how they can be used for spying you as you go through
different networks (phone, laptop).
This is unrequired concern though as IPv6 privacy extensions should exist This is an unrequired concern though as IPv6 privacy extensions should
with all IPv6 capable systems (again including Windows which seems to be exist with all IPv6 capable systems (again including Windows which seems
what people worry about the most). The privacy extensions generate random to be what people worry about the most). The privacy extensions generate
IPv6 address which has no MAC-address and is changed over time. a random IPv6 address which has no MAC-address and is changed over time.
Antergos and Ubuntu MATE (and other Linux distributions?) seem to change Antergos and Ubuntu MATE (and other Linux distributions?) seem to change
it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`) it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`)
@ -61,7 +62,7 @@ the system.
On your IPv6-enabled system you should see three addresses: On your IPv6-enabled system you should see three addresses:
* SLAAC-address where you see your MAC-address clearly, it just exists and * EUI-64-address where you see your MAC-address clearly, it just exists and
isn't used in outgoing connections so no one knows it unless you decide isn't used in outgoing connections so no one knows it unless you decide
to tell them. to tell them.
* Privacy (extensions) address which is random and used for all outgoing * Privacy (extensions) address which is random and used for all outgoing
@ -75,19 +76,19 @@ On your IPv6-enabled system you should see three addresses:
If you are still worried about the MAC-address being visible, you can If you are still worried about the MAC-address being visible, you can
easily confirm that no one sees it by going to easily confirm that no one sees it by going to
[ipv6-test.com](http://ipv6-test.com), looking at "IPv6 connectivity" and [ipv6-test.com](http://ipv6-test.com), looking at "IPv6 connectivity" and
check the teset that says "SLAAC". If it says "No" your SLAAC-address check the test that says "SLAAC". If it says "No" your EUI-64-address
is not used, if it says "Yes" they are used and it should never say "Yes". is not used, if it says "Yes" they are used and it should never say "Yes".
It probably tells you something that the test decreases points of your You will probably understand that it's not supposed to say "Yes" as getting
IPv6 connectivity if you do use SLAAC address. "Yes" in that test decreases your score.
#### Windows IPv6 address randomization #### Windows IPv6 address randomization
Windows which you shouldn't worry about makes you worry even less by being Windows which you shouldn't worry about makes you worry even less by being
annoying and randomizing all addresses (even if there is no need because annoying and randomizing all addresses (even if there is no need because
you have IPv6 privacy extensions) and this probably causes you headache you have IPv6 privacy extensions) and this probably causes you a headache
if you are running Windows Server or dual-booting with some other OS. if you are running Windows Server or dual-booting with some other OS.
When you dual-boot, you might wonder why even the SLAAC-address is When you dual-boot, you might wonder why even the EUI-64-address is
different on Windows and Linux/OS X/whatever. different on Windows and Linux/OS X/whatever.
This is easy to fix though, open cmd.exe or PowerShell as admin and run: This is easy to fix though, open cmd.exe or PowerShell as admin and run:
@ -99,8 +100,8 @@ netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
##### Disabling privacy extensions ##### Disabling privacy extensions
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS SERVER AND SHOULDN'T EVER **YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE
MOVE ANYWHERE. BY DOING THIS THE SLAAC-ADDRESS GETS USED AND EVERYONE DOES MOVE ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES
SEE YOUR MAC-ADDRESS.** SEE YOUR MAC-ADDRESS.**
As I am talking so much about privacy extensions, I must probably tell As I am talking so much about privacy extensions, I must probably tell
@ -115,15 +116,15 @@ netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent
``` ```
Linux: check NetworkManager or whatever you use config files Linux: check NetworkManager connection editor (or config files of whatever
(or connection editor) or use the you use) or use the kernel option directly in `/etc/sysctl.conf` or
kernel option directly in `/etc/sysctl.conf` or preferably preferably `/etc/sysctl.d/<whatever>.conf`:
`/etc/sysctl.d/<whatever>.conf`: `net.ipv6.conf.default.use_tempaddr=0`. `net.ipv6.conf.default.use_tempaddr=0`.
The numbers you can use here are: The numbers you can use here are:
* 0 — IPv6 Privacy Extensions are disabled. * 0 — IPv6 Privacy Extensions are disabled.
* 1 — IPv6 Privacy Extensions are enabled, but **SLAAC-address is * 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is
preferred.** preferred.**
* 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually * 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually
the default and what you should use. the default and what you should use.
@ -145,10 +146,13 @@ Finnish)…
…but I can suggest searching the web for `yourISP IPv6` and contacting …but I can suggest searching the web for `yourISP IPv6` and contacting
their customer support asking when they are going to enable IPv6. their customer support asking when they are going to enable IPv6.
For tunneling there are multiple services, but I am only going to mention For tunneling there are multiple services for tunneling and the best are
Teredo shortly, it's the protocol of last resolt for accessing IPv6 sites [SixXS] and [Tunnelbroker], but I am going to talk more about Teredo which
and Windows comes with it by default. The easiest way to enable it is the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the
probably saving the following as `something.reg` and running it: following as `something.reg` and running it:
[SixXS]:https://www.sixxs.net/
[Tunnelbroker]:https://tunnelbroker.net/
``` ```
Windows Registry Editor Version 5.00 Windows Registry Editor Version 5.00
@ -167,7 +171,7 @@ Short explanation:
* Enable Teredo… * Enable Teredo…
* …even if we are in domain * …even if we are in domain
* use teredo.trex.fi as Teredo server, you might want to use some server * use teredo.trex.fi as Teredo server, you might want to use some server
that is more [near to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers). that is [closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
Linux: install package `miredo` and edit the server in `/etc/miredo.conf` Linux: install package `miredo` and edit the server in `/etc/miredo.conf`
if needed. if needed.
@ -182,5 +186,5 @@ least I think Google Chrome did so.
* [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling) * [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
* [Microsoft Technet: A 5 Second Boot Optimization If Youve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx) * [Microsoft Technet: A 5 Second Boot Optimization If Youve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
* TL;DR: depending on how you disabled IPv6 your boot might be 5 * TL;DR: depending on how you disabled IPv6 your boot might be 5
seconds lower and Microsoft discourages disabling it and they don't seconds less and Microsoft discourages disabling it and they don't
test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup. test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.