mikaela.github.io/_posts/2015-06-22-ipv6.md

8.2 KiB
Raw Blame History

There appears to be a lot of confusion on IPv6 and in this post I try to clear it a little.

I am writing this post, because TorrentFreak wrote about buggy µTorrent and suggests disabling IPv6 because of it. The comments of that post are also totally lost.

IPv4

Its probably best to start with what is wrong with IPv4 and note that all modern operating systems (including Windows Vista and newer) are designed to work with IPv6 and disabling it may break some features.

There are no IPv4 addresses for everyone and that is why we have NATs in routers so we only have one IPv4 address facing the internet. That isnt enough either so ISPs started having their own NATs too known as CGN (Carrier Grade NAT) putting a lot of customers behind single IPv4 address.

This means that if someone on the same ISP abused your favourite service X*, all users behind that IPv4 address get banned.

*X = Wikipedia, your favourite forum or IRC network or whatever.

CGN can also cause issues with online gaming (as everyone appears to be connecting from single address and it can also increase latencies).

IPv6

IPv6, again, is next version of the Internet Protocol and has enough addresses for all your devices and you dont need NAT anymore so you dont have to do port forwards (which didnt help you behind CGN anyway) anymore.

People have weird worries with it and many misunderstandings on privacy concerns.

EUI-64-addresses

EUI-64-addresses are based on your MAC-address and a lot of people seem to be worried about how they can be used for spying on you as you go through different networks (phone, laptop).

This is an unrequired concern though as IPv6 privacy extensions should exist with all IPv6 capable systems (again including Windows which seems to be what people worry about the most). The privacy extensions generate a random IPv6 address which has no MAC-address and is changed over time.

Antergos and Ubuntu MATE (and other Linux distributions?) seem to change it every 24 hours (controlled by net.ipv6.conf.default.temp_prefered_lft) and I believe it also gets changed by reconnecting to network or rebooting the system.

On your IPv6-enabled system you should see three addresses:

  • EUI-64-address where you see your MAC-address clearly, it just exists and isnt used in outgoing connections so no one knows it unless you decide to tell them.
  • Privacy (extensions) address which is random and used for all outgoing connections and it changes every few hours. You might see multiple of these as the old privacy addresses are still kept for some time, but no outgoing connections is made with them.
  • Link-local address you see even without global IPv6 connectivity as every IPv6-supporting system generates them automatically. They start with fe80 and only work in your LAN. It also has your MAC-address visible.

If you are still worried about the MAC-address being visible, you can easily confirm that no one sees it by going to ipv6-test.com, looking at “IPv6 connectivity” and check the test that says “SLAAC”. If it says “No” your EUI-64-address is not used, if it says “Yes” they are used and it should never say “Yes”. You will probably understand that its not supposed to say “Yes” as getting “Yes” in that test decreases your score.

Windows IPv6 address randomization

Windows which you shouldnt worry about makes you worry even less by being annoying and randomizing all addresses (even if there is no need because you have IPv6 privacy extensions) and this probably causes you a headache if you are running Windows Server or dual-booting with some other OS.

When you dual-boot, you might wonder why even the EUI-64-address is different on Windows and Linux/OS X/whatever.

This is easy to fix though, open cmd.exe or PowerShell as admin and run:

netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
Disabling privacy extensions

YOU DONT WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WONT EVER BE MOVED ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES SEE YOUR MAC-ADDRESS.

As I am talking so much about privacy extensions, I must probably tell that you can disable them if you want. I have no idea if that is possible with OS X so I dont say anything about it, I only know that it uses them by default.

Windows: start by disabling the randomization and then

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent

Linux: check NetworkManager connection editor (or config files of whatever you use) or use the kernel option directly in /etc/sysctl.conf or preferably /etc/sysctl.d/<whatever>.conf: net.ipv6.conf.default.use_tempaddr=0.

The numbers you can use here are:

  • 0 — IPv6 Privacy Extensions are disabled.
  • 1 — IPv6 Privacy Extensions are enabled, but EUI-64-address is preferred.
  • 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually the default and what you should use.

Getting IPv6

For native connectivity I only know about Finland (links in the list in Finnish)…

…but I can suggest searching the web for yourISP IPv6 and contacting their customer support asking when they are going to enable IPv6.

For tunneling there are multiple services for tunneling and the best are SixXS and Tunnelbroker, but I am going to talk more about Teredo which the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the following as something.reg and running it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"AddrConfigControl"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
"Teredo_DefaultQualified"="Enabled"
"Teredo_State"="Enterprise Client"
"Teredo_ServerName"="teredo.trex.fi"

Short explanation: * Enable looking up IPv6 records even with Teredo * Enable Teredo… * …even if we are in domain * use teredo.trex.fi as Teredo server, you might want to use some server that is closer to you.

Linux: install package miredo and edit the server in /etc/miredo.conf if needed.

And then check ipv6-test.com and it should detect your Teredo connectivity. Some browsers dont even attempt to use it, at least I think Google Chrome did so.

Further reading

Special thanks to people of #IPv6 for checking that I dont write total nonsense here and all the fixes made and also @e-ali for checking for spelling mistakes.