|
Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique "cookie" identifying your system. As a result, RFC3041 introduces "privacy enhanced" addresses which will change and are created by hashing the MAC address. Of course, each operating system has its own way to enable privacy enhanced addresses. Windows 7: You can use "netsh" to enable and configure privacy enhanced addresses. Use netsh interface ipv6 show privacy to query the status, and netsh interface ipv6 set privacy state=enabled to enable it. In my testing, privacy enhanced addresses were enabled and I wasn't actually able to disable them (a possible bug?). OS X: OS X uses the sysctl command to change various kernel parameters, including privacy enhanced addresses. By default, EUI-64 is used. To enable, run sudo sysctl -w net.inet6.ip6.use_tempaddr=1 and cycle the interfaces (ifconfig en0 down; ifconfig en0 up). However, to have this setting survive a reboot, create a file called /etc/sysctl.conf and add the line:
net.inet6.ip6.use_tempaddr=1 Linux: as root, similar to OS X, update the respective /proc entries echo 1 > /proc/sys/net/ipv6/conf/all/use_tempaddr echo 1 > /proc/sys/net/ipv6/conf/default/use_tempaddr echo 1 > /proc/sys/net/ipv6/conf/eth0/use_tempaddr Linux uses an /etc/sysctl.conf file, just like OS X, to make these changes persistent during reboots.
------ |
Johannes 4479 Posts ISC Handler Jun 1st 2011 |
| Thread locked Subscribe |
Jun 1st 2011 1 decade ago |
|
The problem with privacy IPv6 addresses of endpoints on a corporate network, is well, the "privacy".
Sometimes IT admins actually do need to track down physical computers; with privacy addresses, tracking down by IP address will be complicated, since IP address changes all the time. At least with IPv4, DHCP servers can log which MAC address had such and such IP at such and such time. With IPv6, some new less-convenient (possibly more failure-prone) monitoring mechanism will need to be devised, to be able to track what MAC address had what privacy address and such and such time, for auditing purposes. |
Mysid 146 Posts |
| Quote |
Jun 1st 2011 1 decade ago |
|
Windows7 correct syntax
netsh interface ipv6 set privacy state=enabled |
Mysid 1 Posts |
| Quote |
Jun 1st 2011 1 decade ago |
|
thanks for correcting the typo. I fixed it in the article above.
Regarding corporate networks: I agree. And this was one reason why at least for Vista, the "Pro" versions had EUI-64 addresses and the "Home" versions used privacy enhanced. Sadly, I can't get EUI-64 to work for Windows 7. (but still experimenting with it... so maybe later) |
Johannes 4479 Posts ISC Handler |
| Quote |
Jun 1st 2011 1 decade ago |
|
Linux looks similar, but not identical to OSX
http://ipv6int.net/systems/linux-ipv6.html#privacy |
Jasey 93 Posts |
| Quote |
Jun 1st 2011 1 decade ago |
|
Unsurprisingly, OSX instructions also work on FreeBSD.
|
Matt 7 Posts |
| Quote |
Jun 2nd 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
