On Thursday 09 Jun 2011 16:51:29 Paul Hartman wrote: > On Thu, Jun 9, 2011 at 12:46 AM, Mick <michaelkintz...@gmail.com> wrote: > >> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 > >> addresses, it's generally advised to disable that. You can do that by > >> running this at administrator cmd prompt: > >> netsh interface ipv6 set global randomizeidentifiers=disabled > > > > I was looking at the same in the Linux kernel scratching my head if I > > should enable this or not ... > > > > What does it do - not sure I understand what such temporary addresses are > > used for: > > ============================================ > > IPv6: Privacy Extensions (RFC 3041) support > > > CONFIG_IPV6_PRIVACY: > Sorry, I described the problem poorly. More specifically I should have > said that it should be disabled because Windows does it /wrong/. :) > > In IPv6, link-local address is required (begins with fe80::) even when > an internet-routable address exists. It is derived from your network > prefix and your MAC address. Normally, the public IPv6 address also > contains your MAC address. Every IPv6 interface is going to have at > least 2 different addresses. > > Imagine a world where IPv6 is everywhere. You take your laptop home, > to the cafe, to work, to a hotel on a business trip. Despite using > different networks in each place, your MAC address will tie them all > together. The governments and corporations are tracking this and now > know even more about you. At least, that's what people worry about. > > In Linux, enabling the privacy extensions adds an additional, > temporary IPv6 address to the interface, with a randomized "MAC" part, > and it changes regularly (every hour or two? something like that). The > link-local address still contains the MAC-based IPv6 address, and the > standard routable IPv6 address is also available but not used by > default for outgoing connections. So, inside your network, things are > predictable and unchanging, which makes management of clients, routing > of traffic, firewall rules, etc. easier to deal with. To the outside > world, your IP address is constantly changing and can't be used to > track you as easily as it would be if the MAC portion of the address > were consistent. > > In Windows, however, when that option is enabled, they wrongly > randomize ALL of the addresses, even the local, rather than just > creating a temp random public address. Which means every time that > machine reboots it's going to look like a new client on the local > network, and any local network setup you have pertaining to a certain > IP are going to be a pain to maintain. Depending on your usage, maybe > that doesn't matter, but in general, on Windows machines, it's > considered a buggy implementation and is undesired. > > In Linux, it should be absolutely fine to use. In your > /etc/sysctl.conf you can add these lines to enable it on every > interface by default, assuming you enabled in your kernel config: > > net.ipv6.conf.all.use_tempaddr = 2 > net.ipv6.conf.default.use_tempaddr = 2
Excellent explanation! Thank you. :-) Now was it that difficult to add a couple of meaningful lines in the kernel documentation, so that any other than the kernel hacker who wrote that module would learn that its there to anonymise your ipv6 address for privacy purposes? I take it that loading this module would cut both ways. If I were to allow connections to my server only for *my* IP address, then that would be quite difficult to achieve if my IP address changed every few minutes. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
