8.4 KiB
There appears to be a lot of confusion on IPv6 and in this post I try to clear it a little.
I am writing this post, because TorrentFreak wrote about buggy µTorrent and suggests disabling IPv6 because of it. The comments of that post are also totally lost.
IPv4
It’s probably best to start with what is wrong with IPv4 and note that all modern operating systems (including Windows Vista and newer) are designed to work with IPv6 and disabling it may break some features.
There are no IPv4 addresses for everyone and that is why we have NATs in routers so we only have one IPv4 address facing the internet. That isn’t enough either so ISPs started having their own NATs too known as CGN (Carrier Grade NAT) putting a lot of customers behind single IPv4 address.
This means that if someone on the same ISP abused your favourite service X*, all users behind that IPv4 address get banned.
*X = Wikipedia, your favourite forum or IRC network or whatever.
CGN can also cause issues with online gaming (as everyone appears to be connecting from single address and it can also increase latencies).
IPv6
IPv6, again, is next version of the Internet Protocol and has enough addresses for all your devices and you don’t need NAT anymore so you don’t have to do port forwards (which didn’t help you behind CGN anyway) anymore.
People have weird worries with it and many misunderstandings on privacy concerns.
EUI-64-addresses
EUI-64-addresses are based on your MAC-address and a lot of people seem to be worried about how they can be used for spying on you as you go through different networks (phone, laptop).
This is an unrequired concern though as IPv6 privacy extensions should exist with all IPv6 capable systems (again including Windows which seems to be what people worry about the most). The privacy extensions generate a random IPv6 address which has no MAC-address and is changed over time.
Arch Linux and Ubuntu MATE (and other Linux distributions?) seem to
change it every 24 hours (controlled by
net.ipv6.conf.default.temp_prefered_lft) and I believe it
also gets changed by reconnecting to network or rebooting the
system.
On your IPv6-enabled system you should see three addresses:
- EUI-64-address where you see your MAC-address clearly, it just exists and isn’t used in outgoing connections so no one knows it unless you decide to tell them.
- Privacy (extensions) address which is random and used for all outgoing connections and it changes every few hours. You might see multiple of these as the old privacy addresses are still kept for some time, but no outgoing connections is made with them.
- Link-local address you see even without global IPv6 connectivity as
every IPv6-supporting system generates them automatically. They start
with
fe80and only work in your LAN. It also has your MAC-address visible.
If you are still worried about the MAC-address being visible, you can easily confirm that no one sees it by going to ipv6-test.com, looking at “IPv6 connectivity” and check the test that says “SLAAC”. If it says “No” your EUI-64-address is not used, if it says “Yes” they are used and it should never say “Yes”. You will probably understand that it’s not supposed to say “Yes” as getting “Yes” in that test decreases your score.
Windows IPv6 address randomization
Windows which you shouldn’t worry about makes you worry even less by being annoying and randomizing all addresses (even if there is no need because you have IPv6 privacy extensions) and this probably causes you a headache if you are running Windows Server or dual-booting with some other OS.
When you dual-boot, you might wonder why even the EUI-64-address is different on Windows and Linux/OS X/whatever.
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistentDisabling privacy extensions
YOU DON’T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON’T EVER BE MOVED ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE DOES SEE YOUR MAC-ADDRESS.
As I am talking so much about privacy extensions, I must probably tell that you can disable them if you want. I have no idea if that is possible with OS X so I don’t say anything about it, I only know that it uses them by default.
Windows: start by disabling the randomization and then
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistentLinux: check NetworkManager connection editor (or config files of
whatever you use) or use the kernel option directly in
/etc/sysctl.conf or preferably
/etc/sysctl.d/<whatever>.conf:
net.ipv6.conf.default.use_tempaddr=0.
The numbers you can use here are:
- 0 — IPv6 Privacy Extensions are disabled.
- 1 — IPv6 Privacy Extensions are enabled, but EUI-64-address is preferred.
- 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually the default and what you should use.
Getting IPv6
For native connectivity I only know about Finland (links in the list in Finnish)…
- IPv6 in Finnish consumer
connections
- At the time of writing Elisa and DNA which are two of three biggest carriers (Sonera is missing) have IPv6 in all mobile connections, DNA has IPv6 also in broadband connections and Elisa is working on it and Sonera has 6rd.
- Elisa’s page on enabling IPv6
- DNA’s page on IPv6
- Sonera’s page on IPv6 that is worse than earlier ones
…but I can suggest searching the web for yourISP IPv6
and contacting their customer support asking when they are going to
enable IPv6.
For tunneling there are multiple services for tunneling and the best
are SixXS and Tunnelbroker, but I am going to
talk more about Teredo which the protocol of last resort for accessing
IPv6 sites and Windows comeswith it by default. The easiest way to
enable it is probably saving the following as something.reg
and running it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"AddrConfigControl"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
"Teredo_DefaultQualified"="Enabled"
"Teredo_State"="Enterprise Client"
"Teredo_ServerName"="teredo.trex.fi"Short explanation:
- Enable looking up IPv6 records even with Teredo
- Enable Teredo…
- …even if we are in domain
- use teredo.trex.fi as Teredo server, you might want to use some server that is closer to you.
Linux: install package miredo and edit the server in
/etc/miredo.conf if needed.
And then check ipv6-test.com and it should detect your Teredo connectivity. Some browsers don’t even attempt to use it, at least I think Google Chrome did so.
Further reading
- Wikipedia’s page on IPv6
- Wikipedia’s page on Teredo
- Microsoft
Technet: A 5 Second Boot Optimization If You’ve Disabled IPv6 on Windows
Client and Server by setting DisabledComponents to 0xFFFFFFFF
- TL;DR: depending on how you disabled IPv6 your boot might be 5 seconds less and Microsoft discourages disabling it and they don’t test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.
Special thanks to people of #IPv6 for checking that I don’t write total nonsense here and all the fixes made and also @e-ali for checking for spelling mistakes.