mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-26 22:39:25 +01:00
196 lines
8.3 KiB
Markdown
196 lines
8.3 KiB
Markdown
---
|
||
layout: post
|
||
comments: true
|
||
title: "IPv6"
|
||
category: [english]
|
||
tags: [english, IPv6]
|
||
redirect_from:
|
||
- /ipv6/
|
||
- /IPv6/
|
||
---
|
||
|
||
*There appears to be a lot of confusion on IPv6 and in this post I try to
|
||
clear it a little.*
|
||
|
||
I am writing this post, because [TorrentFreak wrote about buggy µTorrent and suggests disabling IPv6 because of it.](https://torrentfreak.com/popular-torrents-being-sabotaged-by-ipv6-peer-flood-150619/)
|
||
The comments of that post are also totally lost.
|
||
|
||
## IPv4
|
||
|
||
It's probably best to start with what is wrong with IPv4 and note that all
|
||
modern operating systems (including Windows Vista and newer) are designed
|
||
to work with IPv6 and disabling it may break some features.
|
||
|
||
There are no IPv4 addresses for everyone and that is why we have NATs in
|
||
routers so we only have one IPv4 address facing the internet. That isn't
|
||
enough either so ISPs started having their own NATs too known as CGN
|
||
(Carrier Grade NAT) putting *a lot* of customers behind single IPv4
|
||
address.
|
||
|
||
This means that if someone on the same ISP abused your favourite service
|
||
X\*, all users behind that IPv4 address get banned.
|
||
|
||
<em>\*X = Wikipedia, your favourite forum or IRC network or whatever</em>.
|
||
|
||
CGN can also cause issues with online gaming (as everyone appears to be
|
||
connecting from single address and it can also increase latencies).
|
||
|
||
## IPv6
|
||
|
||
IPv6, again, is next version of the Internet Protocol and has enough
|
||
addresses for all your devices and you don't need NAT anymore so you don't
|
||
have to do port forwards (which didn't help you behind CGN anyway) anymore.
|
||
|
||
People have weird worries with it and many misunderstandings on privacy
|
||
concerns.
|
||
|
||
### EUI-64-addresses
|
||
|
||
EUI-64-addresses are based on your MAC-address and a lot of people seem to
|
||
be worried about how they can be used for spying on you as you go through
|
||
different networks (phone, laptop).
|
||
|
||
This is an unrequired concern though as IPv6 privacy extensions should
|
||
exist with all IPv6 capable systems (again including Windows which seems
|
||
to be what people worry about the most). The privacy extensions generate
|
||
a random IPv6 address which has no MAC-address and is changed over time.
|
||
|
||
Antergos and Ubuntu MATE (and other Linux distributions?) seem to change
|
||
it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`)
|
||
and I believe it also gets changed by reconnecting to network or rebooting
|
||
the system.
|
||
|
||
On your IPv6-enabled system you should see three addresses:
|
||
|
||
* EUI-64-address where you see your MAC-address clearly, it just exists and
|
||
isn't used in outgoing connections so no one knows it unless you decide
|
||
to tell them.
|
||
* Privacy (extensions) address which is random and used for all outgoing
|
||
connections and it changes every few hours. You might see multiple of
|
||
these as the old privacy addresses are still kept for some time, but no
|
||
outgoing connections is made with them.
|
||
* Link-local address you see even without global IPv6 connectivity as every
|
||
IPv6-supporting system generates them automatically. They start with
|
||
`fe80` and only work in your LAN. It also has your MAC-address visible.
|
||
|
||
If you are still worried about the MAC-address being visible, you can
|
||
easily confirm that no one sees it by going to
|
||
[ipv6-test.com](http://ipv6-test.com), looking at "IPv6 connectivity" and
|
||
check the test that says "SLAAC". If it says "No" your EUI-64-address
|
||
is not used, if it says "Yes" they are used and it should never say "Yes".
|
||
You will probably understand that it's not supposed to say "Yes" as getting
|
||
"Yes" in that test decreases your score.
|
||
|
||
#### Windows IPv6 address randomization
|
||
|
||
Windows which you shouldn't worry about makes you worry even less by being
|
||
annoying and randomizing all addresses (even if there is no need because
|
||
you have IPv6 privacy extensions) and this probably causes you a headache
|
||
if you are running Windows Server or dual-booting with some other OS.
|
||
|
||
When you dual-boot, you might wonder why even the EUI-64-address is
|
||
different on Windows and Linux/OS X/whatever.
|
||
|
||
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
|
||
|
||
```
|
||
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
|
||
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
|
||
```
|
||
|
||
##### Disabling privacy extensions
|
||
|
||
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE
|
||
MOVED ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE
|
||
DOES SEE YOUR MAC-ADDRESS.**
|
||
|
||
As I am talking so much about privacy extensions, I must probably tell
|
||
that you can disable them if you want. I have no idea if that is possible
|
||
with OS X so I don't say anything about it, I only know that it uses them
|
||
by default.
|
||
|
||
Windows: start by disabling the randomization and then
|
||
|
||
```
|
||
netsh interface ipv6 set privacy state=disabled store=active
|
||
netsh interface ipv6 set privacy state=disabled store=persistent
|
||
```
|
||
|
||
Linux: check NetworkManager connection editor (or config files of whatever
|
||
you use) or use the kernel option directly in `/etc/sysctl.conf` or
|
||
preferably `/etc/sysctl.d/<whatever>.conf`:
|
||
`net.ipv6.conf.default.use_tempaddr=0`.
|
||
|
||
The numbers you can use here are:
|
||
|
||
* 0 — IPv6 Privacy Extensions are disabled.
|
||
* 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is
|
||
preferred.**
|
||
* 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually
|
||
the default and what you should use.
|
||
|
||
### Getting IPv6
|
||
|
||
For native connectivity I only know about Finland (links in the list in
|
||
Finnish)…
|
||
|
||
* [IPv6 in Finnish consumer connections](http://ape3000.com/ipv6/)
|
||
* At the time of writing Elisa and DNA which are two of three biggest
|
||
carriers (Sonera is missing) have IPv6 in all mobile connections, DNA
|
||
has IPv6 also in broadband connections and Elisa is working on it
|
||
and Sonera has 6rd.
|
||
* [Elisa's page on enabling IPv6](http://asiakastuki.elisa.fi/ohje/541)
|
||
* [DNA's page on IPv6](https://www.dna.fi/ipv6)
|
||
* [DNA's instructions for enabling IPv6 on different devices](https://www.dna.fi/ipv6-laitteet)
|
||
* [Sonera's page on IPv6 that is worse than earlier ones](http://www.sonera.fi/etsi+apua+ja+tukea/ohjeet/Soneran-palvelut-IPv6-valmiita?id=c4779f91-dd1c-4e43-b026-b2e6338d0db1)
|
||
|
||
…but I can suggest searching the web for `yourISP IPv6` and contacting
|
||
their customer support asking when they are going to enable IPv6.
|
||
|
||
For tunneling there are multiple services for tunneling and the best are
|
||
[SixXS] and [Tunnelbroker], but I am going to talk more about Teredo which
|
||
the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the
|
||
following as `something.reg` and running it:
|
||
|
||
[SixXS]:https://www.sixxs.net/
|
||
[Tunnelbroker]:https://tunnelbroker.net/
|
||
|
||
```
|
||
Windows Registry Editor Version 5.00
|
||
|
||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
||
"AddrConfigControl"=dword:00000000
|
||
|
||
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
|
||
"Teredo_DefaultQualified"="Enabled"
|
||
"Teredo_State"="Enterprise Client"
|
||
"Teredo_ServerName"="teredo.trex.fi"
|
||
```
|
||
|
||
Short explanation:
|
||
* Enable looking up IPv6 records even with Teredo
|
||
* Enable Teredo…
|
||
* …even if we are in domain
|
||
* use teredo.trex.fi as Teredo server, you might want to use some server
|
||
that is [closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
|
||
|
||
Linux: install package `miredo` and edit the server in `/etc/miredo.conf`
|
||
if needed.
|
||
|
||
And then check [ipv6-test.com](http://ipv6-test.com) and it should detect
|
||
your Teredo connectivity. Some browsers don't even attempt to use it, at
|
||
least I think Google Chrome did so.
|
||
|
||
## Further reading
|
||
|
||
* [Wikipedia's page on IPv6](https://en.wikipedia.org/wiki/IPv6)
|
||
* [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
|
||
* [Microsoft Technet: A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](http://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
|
||
* TL;DR: depending on how you disabled IPv6 your boot might be 5
|
||
seconds less and Microsoft discourages disabling it and they don't
|
||
test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.
|
||
|
||
*Special thanks to people of [#IPv6](ircs://irc.freenode.net:6697/#ipv6)
|
||
for checking that I don't write total nonsense here and all the fixes made
|
||
and also @e-ali for checking for spelling mistakes.*
|