_posts/IPv6: many fixes

This commit is contained in:
Aminda Suomalainen 2015-06-22 21:52:27 +03:00
parent 084269dcde
commit d2a10634d6

View File

@ -37,22 +37,23 @@ connecting from single address and it can also increase latencies).
## IPv6
IPv6 again is next version of the Internet Protocol and has enough
IPv6, again, is next version of the Internet Protocol and has enough
addresses for all your devices and you don't need NAT anymore so you don't
have to do port forwards (which didn't help you behind CGN anyway) anymore.
People have weird worries with it and many misunderstandings on privacy
concerns.
### SLAAC-addresses
### EUI-64-addresses
SLAAC-addresses are based on your MAC-address and a lot of people seem to
be worried about how they can be used for spying you across the network.
EUI-64-addresses are based on your MAC-address and a lot of people seem to
be worried about how they can be used for spying you as you go through
different networks (phone, laptop).
This is unrequired concern though as IPv6 privacy extensions should exist
with all IPv6 capable systems (again including Windows which seems to be
what people worry about the most). The privacy extensions generate random
IPv6 address which has no MAC-address and is changed over time.
This is an unrequired concern though as IPv6 privacy extensions should
exist with all IPv6 capable systems (again including Windows which seems
to be what people worry about the most). The privacy extensions generate
a random IPv6 address which has no MAC-address and is changed over time.
Antergos and Ubuntu MATE (and other Linux distributions?) seem to change
it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`)
@ -61,7 +62,7 @@ the system.
On your IPv6-enabled system you should see three addresses:
* SLAAC-address where you see your MAC-address clearly, it just exists and
* EUI-64-address where you see your MAC-address clearly, it just exists and
isn't used in outgoing connections so no one knows it unless you decide
to tell them.
* Privacy (extensions) address which is random and used for all outgoing
@ -75,19 +76,19 @@ On your IPv6-enabled system you should see three addresses:
If you are still worried about the MAC-address being visible, you can
easily confirm that no one sees it by going to
[ipv6-test.com](http://ipv6-test.com), looking at "IPv6 connectivity" and
check the teset that says "SLAAC". If it says "No" your SLAAC-address
check the test that says "SLAAC". If it says "No" your EUI-64-address
is not used, if it says "Yes" they are used and it should never say "Yes".
It probably tells you something that the test decreases points of your
IPv6 connectivity if you do use SLAAC address.
You will probably understand that it's not supposed to say "Yes" as getting
"Yes" in that test decreases your score.
#### Windows IPv6 address randomization
Windows which you shouldn't worry about makes you worry even less by being
annoying and randomizing all addresses (even if there is no need because
you have IPv6 privacy extensions) and this probably causes you headache
you have IPv6 privacy extensions) and this probably causes you a headache
if you are running Windows Server or dual-booting with some other OS.
When you dual-boot, you might wonder why even the SLAAC-address is
When you dual-boot, you might wonder why even the EUI-64-address is
different on Windows and Linux/OS X/whatever.
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
@ -99,8 +100,8 @@ netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
##### Disabling privacy extensions
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS SERVER AND SHOULDN'T EVER
MOVE ANYWHERE. BY DOING THIS THE SLAAC-ADDRESS GETS USED AND EVERYONE DOES
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE
MOVE ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES
SEE YOUR MAC-ADDRESS.**
As I am talking so much about privacy extensions, I must probably tell
@ -115,15 +116,15 @@ netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
```
Linux: check NetworkManager or whatever you use config files
(or connection editor) or use the
kernel option directly in `/etc/sysctl.conf` or preferably
`/etc/sysctl.d/<whatever>.conf`: `net.ipv6.conf.default.use_tempaddr=0`.
Linux: check NetworkManager connection editor (or config files of whatever
you use) or use the kernel option directly in `/etc/sysctl.conf` or
preferably `/etc/sysctl.d/<whatever>.conf`:
`net.ipv6.conf.default.use_tempaddr=0`.
The numbers you can use here are:
* 0 — IPv6 Privacy Extensions are disabled.
* 1 — IPv6 Privacy Extensions are enabled, but **SLAAC-address is
* 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is
preferred.**
* 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually
the default and what you should use.
@ -145,10 +146,13 @@ Finnish)…
…but I can suggest searching the web for `yourISP IPv6` and contacting
their customer support asking when they are going to enable IPv6.
For tunneling there are multiple services, but I am only going to mention
Teredo shortly, it's the protocol of last resolt for accessing IPv6 sites
and Windows comes with it by default. The easiest way to enable it is
probably saving the following as `something.reg` and running it:
For tunneling there are multiple services for tunneling and the best are
[SixXS] and [Tunnelbroker], but I am going to talk more about Teredo which
the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the
following as `something.reg` and running it:
[SixXS]:https://www.sixxs.net/
[Tunnelbroker]:https://tunnelbroker.net/
```
Windows Registry Editor Version 5.00
@ -167,7 +171,7 @@ Short explanation:
* Enable Teredo…
* …even if we are in domain
* use teredo.trex.fi as Teredo server, you might want to use some server
that is more [near to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
that is [closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
Linux: install package `miredo` and edit the server in `/etc/miredo.conf`
if needed.
@ -182,5 +186,5 @@ least I think Google Chrome did so.
* [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
* [Microsoft Technet: A 5 Second Boot Optimization If Youve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
* TL;DR: depending on how you disabled IPv6 your boot might be 5
seconds lower and Microsoft discourages disabling it and they don't
seconds less and Microsoft discourages disabling it and they don't
test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.