mikaela.github.io/blog/_posts/2015-06-22-ipv6.md

215 lines
9.1 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: post
comments: true
title: "IPv6"
category: [english]
tags: [english, IPv6]
redirect_from:
- /ipv6/
- /IPv6/
- /english/2015/06/22/ipv6.html
lang: en
robots: noai
---
_There appears to be a lot of confusion on IPv6 and in this post I try to clear
it a little._
I am writing this post, because
[TorrentFreak wrote about buggy µTorrent and suggests disabling IPv6 because of it.](https://torrentfreak.com/popular-torrents-being-sabotaged-by-ipv6-peer-flood-150619/)
The comments of that post are also totally lost.
<!-- editorconfig-checker-disable -->
<!-- prettier-ignore-start -->
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
<em lang="fi">Automaattinen sisällysluettelo</em> / <em lang="en">Automatically generated Table of Contents</em>
- [IPv4](#ipv4)
- [IPv6](#ipv6)
- [EUI-64-addresses](#eui-64-addresses)
- [Windows IPv6 address randomization](#windows-ipv6-address-randomization)
- [Disabling privacy extensions](#disabling-privacy-extensions)
- [Getting IPv6](#getting-ipv6)
- [Further reading](#further-reading)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
<!-- prettier-ignore-end -->
<!-- editorconfig-checker-enable -->
## IPv4
It's probably best to start with what is wrong with IPv4 and note that all
modern operating systems (including Windows Vista and newer) are designed to
work with IPv6 and disabling it may break some features.
There are no IPv4 addresses for everyone and that is why we have NATs in routers
so we only have one IPv4 address facing the internet. That isn't enough either
so ISPs started having their own NATs too known as CGN (Carrier Grade NAT)
putting _a lot_ of customers behind single IPv4 address.
This means that if someone on the same ISP abused your favourite service X\*,
all users behind that IPv4 address get banned.
<em>\*X = Wikipedia, your favourite forum or IRC network or whatever</em>.
CGN can also cause issues with online gaming (as everyone appears to be
connecting from single address and it can also increase latencies).
## IPv6
IPv6, again, is next version of the Internet Protocol and has enough addresses
for all your devices and you don't need NAT anymore so you don't have to do port
forwards (which didn't help you behind CGN anyway) anymore.
People have weird worries with it and many misunderstandings on privacy
concerns.
### EUI-64-addresses
EUI-64-addresses are based on your MAC-address and a lot of people seem to be
worried about how they can be used for spying on you as you go through different
networks (phone, laptop).
This is an unrequired concern though as IPv6 privacy extensions should exist
with all IPv6 capable systems (again including Windows which seems to be what
people worry about the most). The privacy extensions generate a random IPv6
address which has no MAC-address and is changed over time.
Arch Linux and Ubuntu MATE (and other Linux distributions?) seem to change it
every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`) and I
believe it also gets changed by reconnecting to network or rebooting the system.
On your IPv6-enabled system you should see three addresses:
- EUI-64-address where you see your MAC-address clearly, it just exists and
isn't used in outgoing connections so no one knows it unless you decide to
tell them.
- Privacy (extensions) address which is random and used for all outgoing
connections and it changes every few hours. You might see multiple of these as
the old privacy addresses are still kept for some time, but no outgoing
connections is made with them.
- Link-local address you see even without global IPv6 connectivity as every
IPv6-supporting system generates them automatically. They start with `fe80`
and only work in your LAN. It also has your MAC-address visible.
If you are still worried about the MAC-address being visible, you can easily
confirm that no one sees it by going to [ipv6-test.com](https://ipv6-test.com),
looking at "IPv6 connectivity" and check the test that says "SLAAC". If it says
"No" your EUI-64-address is not used, if it says "Yes" they are used and it
should never say "Yes". You will probably understand that it's not supposed to
say "Yes" as getting "Yes" in that test decreases your score.
#### Windows IPv6 address randomization
Windows which you shouldn't worry about makes you worry even less by being
annoying and randomizing all addresses (even if there is no need because you
have IPv6 privacy extensions) and this probably causes you a headache if you are
running Windows Server or dual-booting with some other OS.
When you dual-boot, you might wonder why even the EUI-64-address is different on
Windows and Linux/OS X/whatever.
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
```
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
```
##### Disabling privacy extensions
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE MOVED
ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES SEE YOUR
MAC-ADDRESS.**
As I am talking so much about privacy extensions, I must probably tell that you
can disable them if you want. I have no idea if that is possible with OS X so I
don't say anything about it, I only know that it uses them by default.
Windows: start by disabling the randomization and then
```
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
```
Linux: check NetworkManager connection editor (or config files of whatever you
use) or use the kernel option directly in `/etc/sysctl.conf` or preferably
`/etc/sysctl.d/<whatever>.conf`: `net.ipv6.conf.default.use_tempaddr=0`.
The numbers you can use here are:
- 0 — IPv6 Privacy Extensions are disabled.
- 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is preferred.**
- 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually the
default and what you should use.
### Getting IPv6
For native connectivity I only know about Finland (links in the list in
Finnish)…
- [IPv6 in Finnish consumer connections](https://ape3000.com/ipv6/)
- At the time of writing Elisa and DNA which are two of three biggest carriers
(Sonera is missing) have IPv6 in all mobile connections, DNA has IPv6 also
in broadband connections and Elisa is working on it and Sonera has 6rd.
- [Elisa's page on enabling IPv6](https://asiakastuki.elisa.fi/ohje/541)
- [DNA's page on IPv6](https://www.dna.fi/ipv6)
- [DNA's instructions for enabling IPv6 on different devices](https://www.dna.fi/ipv6-laitteet)
- [Sonera's page on IPv6 that is worse than earlier ones](https://www.sonera.fi/etsi+apua+ja+tukea/ohjeet/Soneran-palvelut-IPv6-valmiita?id=c4779f91-dd1c-4e43-b026-b2e6338d0db1)
…but I can suggest searching the web for `yourISP IPv6` and contacting their
customer support asking when they are going to enable IPv6.
For tunneling there are multiple services for tunneling and the best are [SixXS]
and [Tunnelbroker], but I am going to talk more about Teredo which the protocol
of last resort for accessing IPv6 sites and Windows comeswith it by default. The
easiest way to enable it is probably saving the following as `something.reg` and
running it:
[sixxs]: https://www.sixxs.net/
[tunnelbroker]: https://tunnelbroker.net/
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"AddrConfigControl"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
"Teredo_DefaultQualified"="Enabled"
"Teredo_State"="Enterprise Client"
"Teredo_ServerName"="teredo.trex.fi"
```
Short explanation:
- Enable looking up IPv6 records even with Teredo
- Enable Teredo…
- …even if we are in domain
- use teredo.trex.fi as Teredo server, you might want to use some server that is
[closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
Linux: install package `miredo` and edit the server in `/etc/miredo.conf` if
needed.
And then check [ipv6-test.com](https://ipv6-test.com) and it should detect your
Teredo connectivity. Some browsers don't even attempt to use it, at least I
think Google Chrome did so.
## Further reading
- [Wikipedia's page on IPv6](https://en.wikipedia.org/wiki/IPv6)
- [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
- [Microsoft Technet: A 5 Second Boot Optimization If Youve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](https://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
- TL;DR: depending on how you disabled IPv6 your boot might be 5 seconds less
and Microsoft discourages disabling it and they don't test working without
IPv6. Disabling IPv6 breaks e.g. HomeGroup.
_Special thanks to people of `ircs://irc.libera.chat:6697/#IPv6` for checking
that I don't write total nonsense here and all the fixes made and also @e-ali
for checking for spelling mistakes._