mikaela.github.io/blog/_posts/2015-06-22-ipv6.md
2023-02-22 20:28:38 +02:00

198 lines
8.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: post
comments: true
title: "IPv6"
category: [english]
tags: [english, IPv6]
redirect_from:
- /ipv6/
- /IPv6/
- /english/2015/06/22/ipv6.html
---
_There appears to be a lot of confusion on IPv6 and in this post I try to
clear it a little._
I am writing this post, because [TorrentFreak wrote about buggy µTorrent and suggests disabling IPv6 because of it.](https://torrentfreak.com/popular-torrents-being-sabotaged-by-ipv6-peer-flood-150619/)
The comments of that post are also totally lost.
## IPv4
It's probably best to start with what is wrong with IPv4 and note that all
modern operating systems (including Windows Vista and newer) are designed
to work with IPv6 and disabling it may break some features.
There are no IPv4 addresses for everyone and that is why we have NATs in
routers so we only have one IPv4 address facing the internet. That isn't
enough either so ISPs started having their own NATs too known as CGN
(Carrier Grade NAT) putting _a lot_ of customers behind single IPv4
address.
This means that if someone on the same ISP abused your favourite service
X\*, all users behind that IPv4 address get banned.
<em>\*X = Wikipedia, your favourite forum or IRC network or whatever</em>.
CGN can also cause issues with online gaming (as everyone appears to be
connecting from single address and it can also increase latencies).
## IPv6
IPv6, again, is next version of the Internet Protocol and has enough
addresses for all your devices and you don't need NAT anymore so you don't
have to do port forwards (which didn't help you behind CGN anyway) anymore.
People have weird worries with it and many misunderstandings on privacy
concerns.
### EUI-64-addresses
EUI-64-addresses are based on your MAC-address and a lot of people seem to
be worried about how they can be used for spying on you as you go through
different networks (phone, laptop).
This is an unrequired concern though as IPv6 privacy extensions should
exist with all IPv6 capable systems (again including Windows which seems
to be what people worry about the most). The privacy extensions generate
a random IPv6 address which has no MAC-address and is changed over time.
Arch Linux and Ubuntu MATE (and other Linux distributions?) seem to change
it every 24 hours (controlled by `net.ipv6.conf.default.temp_prefered_lft`)
and I believe it also gets changed by reconnecting to network or rebooting
the system.
On your IPv6-enabled system you should see three addresses:
- EUI-64-address where you see your MAC-address clearly, it just exists and
isn't used in outgoing connections so no one knows it unless you decide
to tell them.
- Privacy (extensions) address which is random and used for all outgoing
connections and it changes every few hours. You might see multiple of
these as the old privacy addresses are still kept for some time, but no
outgoing connections is made with them.
- Link-local address you see even without global IPv6 connectivity as every
IPv6-supporting system generates them automatically. They start with
`fe80` and only work in your LAN. It also has your MAC-address visible.
If you are still worried about the MAC-address being visible, you can
easily confirm that no one sees it by going to
[ipv6-test.com](https://ipv6-test.com), looking at "IPv6 connectivity" and
check the test that says "SLAAC". If it says "No" your EUI-64-address
is not used, if it says "Yes" they are used and it should never say "Yes".
You will probably understand that it's not supposed to say "Yes" as getting
"Yes" in that test decreases your score.
#### Windows IPv6 address randomization
Windows which you shouldn't worry about makes you worry even less by being
annoying and randomizing all addresses (even if there is no need because
you have IPv6 privacy extensions) and this probably causes you a headache
if you are running Windows Server or dual-booting with some other OS.
When you dual-boot, you might wonder why even the EUI-64-address is
different on Windows and Linux/OS X/whatever.
This is easy to fix though, open cmd.exe or PowerShell as admin and run:
```
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
```
##### Disabling privacy extensions
**YOU DON'T WANT TO DO THIS UNLESS YOUR PC IS A SERVER AND WON'T EVER BE
MOVED ANYWHERE. BY DOING THIS THE EUI-64-ADDRESS GETS USED AND EVERYONE
DOES SEE YOUR MAC-ADDRESS.**
As I am talking so much about privacy extensions, I must probably tell
that you can disable them if you want. I have no idea if that is possible
with OS X so I don't say anything about it, I only know that it uses them
by default.
Windows: start by disabling the randomization and then
```
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
```
Linux: check NetworkManager connection editor (or config files of whatever
you use) or use the kernel option directly in `/etc/sysctl.conf` or
preferably `/etc/sysctl.d/<whatever>.conf`:
`net.ipv6.conf.default.use_tempaddr=0`.
The numbers you can use here are:
- 0 — IPv6 Privacy Extensions are disabled.
- 1 — IPv6 Privacy Extensions are enabled, but **EUI-64-address is
preferred.**
- 2 — IPv6 Privacy Extensions are enabled and preferred. This is usually
the default and what you should use.
### Getting IPv6
For native connectivity I only know about Finland (links in the list in
Finnish)…
- [IPv6 in Finnish consumer connections](https://ape3000.com/ipv6/)
- At the time of writing Elisa and DNA which are two of three biggest
carriers (Sonera is missing) have IPv6 in all mobile connections, DNA
has IPv6 also in broadband connections and Elisa is working on it
and Sonera has 6rd.
- [Elisa's page on enabling IPv6](https://asiakastuki.elisa.fi/ohje/541)
- [DNA's page on IPv6](https://www.dna.fi/ipv6)
- [DNA's instructions for enabling IPv6 on different devices](https://www.dna.fi/ipv6-laitteet)
- [Sonera's page on IPv6 that is worse than earlier ones](https://www.sonera.fi/etsi+apua+ja+tukea/ohjeet/Soneran-palvelut-IPv6-valmiita?id=c4779f91-dd1c-4e43-b026-b2e6338d0db1)
…but I can suggest searching the web for `yourISP IPv6` and contacting
their customer support asking when they are going to enable IPv6.
For tunneling there are multiple services for tunneling and the best are
[SixXS] and [Tunnelbroker], but I am going to talk more about Teredo which
the protocol of last resort for accessing IPv6 sites and Windows comeswith it by default. The easiest way to enable it is probably saving the
following as `something.reg` and running it:
[sixxs]: https://www.sixxs.net/
[tunnelbroker]: https://tunnelbroker.net/
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"AddrConfigControl"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition]
"Teredo_DefaultQualified"="Enabled"
"Teredo_State"="Enterprise Client"
"Teredo_ServerName"="teredo.trex.fi"
```
Short explanation:
- Enable looking up IPv6 records even with Teredo
- Enable Teredo…
- …even if we are in domain
- use teredo.trex.fi as Teredo server, you might want to use some server
that is [closer to you](https://en.wikipedia.org/wiki/Teredo_tunneling#Servers).
Linux: install package `miredo` and edit the server in `/etc/miredo.conf`
if needed.
And then check [ipv6-test.com](https://ipv6-test.com) and it should detect
your Teredo connectivity. Some browsers don't even attempt to use it, at
least I think Google Chrome did so.
## Further reading
- [Wikipedia's page on IPv6](https://en.wikipedia.org/wiki/IPv6)
- [Wikipedia's page on Teredo](https://en.wikipedia.org/wiki/Teredo_tunneling)
- [Microsoft Technet: A 5 Second Boot Optimization If Youve Disabled IPv6 on Windows Client and Server by setting DisabledComponents to 0xFFFFFFFF](https://blogs.technet.com/b/askpfeplat/archive/2014/09/15/a-5-second-boot-optimization-if-you-ve-disabled-ipv6-on-windows-client-and-server-by-setting-disabledcomponents-to-0xffffffff.aspx)
- TL;DR: depending on how you disabled IPv6 your boot might be 5
seconds less and Microsoft discourages disabling it and they don't
test working without IPv6. Disabling IPv6 breaks e.g. HomeGroup.
_Special thanks to people of [#IPv6](/r/irc-ipv6.html) for checking that I
don't write total nonsense here and all the fixes made and also @e-ali for
checking for spelling mistakes._