mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-17 09:29:25 +01:00
215 lines
9.1 KiB
Markdown
215 lines
9.1 KiB
Markdown
---
|
||
layout: post
|
||
comments: true
|
||
title: "IPv6"
|
||
category: [english]
|
||
tags: [english, IPv6]
|
||
redirect_from:
|
||
- /ipv6/
|
||
- /IPv6/
|
||
- /english/2015/06/22/ipv6.html
|
||
lang: en
|
||
robots: noai
|
||
---
|
||
|
||
_There appears to be a lot of confusion on IPv6 and in this post I try to clear
|
||
it a little._
|
||
|
||
I am writing this post, because
|
||
[TorrentFreak wrote about buggy µTorrent and suggests disabling IPv6 because of it.](https://torrentfreak.com/popular-torrents-being-sabotaged-by-ipv6-peer-flood-150619/)
|
||
The comments of that post are also totally lost.
|
||
|
||
<!-- editorconfig-checker-disable -->
|
||
<!-- prettier-ignore-start -->
|
||
|
||
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
|
||
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
|
||
<em lang="fi">Automaattinen sisällysluettelo</em> / <em lang="en">Automatically generated Table of Contents</em>
|
||
|
||
- [IPv4](#ipv4)
|
||
- [IPv6](#ipv6)
|
||
- [EUI-64-addresses](#eui-64-addresses)
|
||
- [Windows IPv6 address randomization](#windows-ipv6-address-randomization)
|
||
- [Disabling privacy extensions](#disabling-privacy-extensions)
|
||
- [Getting IPv6](#getting-ipv6)
|
||
- [Further reading](#further-reading)
|
||
|
||
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
||
|
||
<!-- prettier-ignore-end -->
|
||
<!-- editorconfig-checker-enable -->
|
||
|
||
## IPv4
|
||
|
||
It's probably best to start with what is wrong with IPv4 and note that all
|
||
modern operating systems (including Windows Vista and newer) are designed to
|
||
work with IPv6 and disabling it may break some features.
|
||
|
||
There are no IPv4 addresses for everyone and that is why we have NATs in routers
|
||
so we only have one IPv4 address facing the internet. That isn't enough either
|
||
so ISPs started having their own NATs too known as CGN (Carrier Grade NAT)
|
||
putting _a lot_ of customers behind single IPv4 address.
|
||
|
||
This means that if someone on the same ISP abused your favourite service X\*,
|
||
all users behind that IPv4 address get banned.
|
||
|
||
<em>\*X = Wikipedia, your favourite forum or IRC network or whatever</em>.
|
||
|
||
CGN can also cause issues with online gaming (as everyone appears to be
|
||
connecting from single address and it can also increase latencies).
|
||
|
||
## IPv6
|
||
|
||
IPv6, again, is next version of the Internet Protocol and has enough addresses
|
||
for all your devices and you don't need NAT anymore so you don't have to do port
|
||
forwards (which didn't help you behind CGN anyway) anymore.
|
||
|
||
People have weird worries with it and many misunderstandings on privacy
|
||
concerns.
|
||
|
||
### EUI-64-addresses
|
||
|
||
EUI-64-addresses are based on your MAC-address and a lot of people seem to be
|
||
worried about how they can be used for spying on you as you go through different
|
||
networks (phone, laptop).
|
||
|
||
This is an unrequired concern though as IPv6 privacy extensions should exist
|
||
with all IPv6 capable systems (again including Windows which seems to be what
|
||
people worry about the most). The privacy extensions generate a random IPv6
|
||
address which has no MAC-address and is changed over time.
|
||
|
||
Arch Linux and Ubuntu MATE (and other Linux distributions?) seem to change it
|
||
every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`) and I
|
||
believe it also gets changed by reconnecting to network or rebooting the system.
|
||
|
||
On your IPv6-enabled system you should see three addresses:
|
||
|
||
- EUI-64-address where you see your MAC-address clearly, it just exists and
|
||
isn't used in outgoing connections so no one knows it unless you decide to
|
||
tell them.
|
||
- Privacy (extensions) address which is random and used for all outgoing
|
||
connections and it changes every few hours. You might see multiple of these as
|
||
the old privacy addresses are still kept for some time, but no outgoing
|
||
connections is made with them.
|
||
- Link-local address you see even without global IPv6 connectivity as every
|
||
IPv6-supporting system generates them automatically. They start with `fe80`
|
||
and only work in your LAN. It also has your MAC-address visible.
|
||
|
||
If you are still worried about the MAC-address being visible, you can easily
|
||
confirm that no one sees it by going to [ipv6-test.com](https://ipv6-test.com),
|
||
looking at "IPv6 connectivity" and check the test that says "SLAAC". If it says
|
||
"No" your EUI-64-address is not used, if it says "Yes" they are used and it
|
||
should never say "Yes". You will probably understand that it's not supposed to
|
||
say "Yes" as getting "Yes" in that test decreases your score.
|
||
|
||
#### Windows IPv6 address randomization
|
||
|
||
Windows which you shouldn't worry about makes you worry even less by being
|
||
annoying and randomizing all addresses (even if there is no need because you
|
||
have IPv6 privacy extensions) and this probably causes you a headache if you are
|
||
running Windows Server or dual-booting with some other OS.
|
||
|
||
When you dual-boot, you might wonder why even the EUI-64-address is different on
|
||
Windows and Linux/OS X/whatever.
|
||
|
||
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
|
||
|
||
```
|
||
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
|
||
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
|
||
```
|
||
|
||
##### Disabling privacy extensions
|
||
|
||
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE MOVED
|
||
ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES SEE YOUR
|
||
MAC-ADDRESS.**
|
||
|
||
As I am talking so much about privacy extensions, I must probably tell that you
|
||
can disable them if you want. I have no idea if that is possible with OS X so I
|
||
don't say anything about it, I only know that it uses them by default.
|
||
|
||
Windows: start by disabling the randomization and then
|
||
|
||
```
|
||
netsh interface ipv6 set privacy state=disabled store=active
|
||
netsh interface ipv6 set privacy state=disabled store=persistent
|
||
```
|
||
|
||
Linux: check NetworkManager connection editor (or config files of whatever you
|
||
use) or use the kernel option directly in `/etc/sysctl.conf` or preferably
|
||
`/etc/sysctl.d/<whatever>.conf`: `net.ipv6.conf.default.use_tempaddr=0`.
|
||
|
||
The numbers you can use here are:
|
||
|
||
- 0 — IPv6 Privacy Extensions are disabled.
|
||
- 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is preferred.**
|
||
- 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually the
|
||
default and what you should use.
|
||
|
||
### Getting IPv6
|
||
|
||
For native connectivity I only know about Finland (links in the list in
|
||
Finnish)…
|
||
|
||
- [IPv6 in Finnish consumer connections](https://ape3000.com/ipv6/)
|
||
- At the time of writing Elisa and DNA which are two of three biggest carriers
|
||
(Sonera is missing) have IPv6 in all mobile connections, DNA has IPv6 also
|
||
in broadband connections and Elisa is working on it and Sonera has 6rd.
|
||
- [Elisa's page on enabling IPv6](https://asiakastuki.elisa.fi/ohje/541)
|
||
- [DNA's page on IPv6](https://www.dna.fi/ipv6)
|
||
- [DNA's instructions for enabling IPv6 on different devices](https://www.dna.fi/ipv6-laitteet)
|
||
- [Sonera's page on IPv6 that is worse than earlier ones](https://www.sonera.fi/etsi+apua+ja+tukea/ohjeet/Soneran-palvelut-IPv6-valmiita?id=c4779f91-dd1c-4e43-b026-b2e6338d0db1)
|
||
|
||
…but I can suggest searching the web for `yourISP IPv6` and contacting their
|
||
customer support asking when they are going to enable IPv6.
|
||
|
||
For tunneling there are multiple services for tunneling and the best are [SixXS]
|
||
and [Tunnelbroker], but I am going to talk more about Teredo which the protocol
|
||
of last resort for accessing IPv6 sites and Windows comeswith it by default. The
|
||
easiest way to enable it is probably saving the following as `something.reg` and
|
||
running it:
|
||
|
||
[sixxs]: https://www.sixxs.net/
|
||
[tunnelbroker]: https://tunnelbroker.net/
|
||
|
||
```
|
||
Windows Registry Editor Version 5.00
|
||
|
||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
||
"AddrConfigControl"=dword:00000000
|
||
|
||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
|
||
"Teredo_DefaultQualified"="Enabled"
|
||
"Teredo_State"="Enterprise Client"
|
||
"Teredo_ServerName"="teredo.trex.fi"
|
||
```
|
||
|
||
Short explanation:
|
||
|
||
- Enable looking up IPv6 records even with Teredo
|
||
- Enable Teredo…
|
||
- …even if we are in domain
|
||
- use teredo.trex.fi as Teredo server, you might want to use some server that is
|
||
[closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
|
||
|
||
Linux: install package `miredo` and edit the server in `/etc/miredo.conf` if
|
||
needed.
|
||
|
||
And then check [ipv6-test.com](https://ipv6-test.com) and it should detect your
|
||
Teredo connectivity. Some browsers don't even attempt to use it, at least I
|
||
think Google Chrome did so.
|
||
|
||
## Further reading
|
||
|
||
- [Wikipedia's page on IPv6](https://en.wikipedia.org/wiki/IPv6)
|
||
- [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
|
||
- [Microsoft Technet: A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](https://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
|
||
- TL;DR: depending on how you disabled IPv6 your boot might be 5 seconds less
|
||
and Microsoft discourages disabling it and they don't test working without
|
||
IPv6. Disabling IPv6 breaks e.g. HomeGroup.
|
||
|
||
_Special thanks to people of `ircs://irc.libera.chat:6697/#IPv6` for checking
|
||
that I don't write total nonsense here and all the fixes made and also @e-ali
|
||
for checking for spelling mistakes._
|