From: Paul Hartman <paul.hartman+gentoo@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] IPv6 not ready here; Hmmm
Date: Thu, 9 Jun 2011 10:51:29 -0500 [thread overview]
Message-ID: <BANLkTimhGsLyiMDh+0oqAJPdyMA3o5Qf6g@mail.gmail.com> (raw)
In-Reply-To: <201106090646.54905.michaelkintzios@gmail.com>
On Thu, Jun 9, 2011 at 12:46 AM, Mick <michaelkintzios@gmail.com> wrote:
>> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6
>> addresses, it's generally advised to disable that. You can do that by
>> running this at administrator cmd prompt:
>> netsh interface ipv6 set global randomizeidentifiers=disabled
>
> I was looking at the same in the Linux kernel scratching my head if I should
> enable this or not ...
>
> What does it do - not sure I understand what such temporary addresses are used
> for:
> ============================================
> IPv6: Privacy Extensions (RFC 3041) support
>
> CONFIG_IPV6_PRIVACY:
Sorry, I described the problem poorly. More specifically I should have
said that it should be disabled because Windows does it /wrong/. :)
In IPv6, link-local address is required (begins with fe80::) even when
an internet-routable address exists. It is derived from your network
prefix and your MAC address. Normally, the public IPv6 address also
contains your MAC address. Every IPv6 interface is going to have at
least 2 different addresses.
Imagine a world where IPv6 is everywhere. You take your laptop home,
to the cafe, to work, to a hotel on a business trip. Despite using
different networks in each place, your MAC address will tie them all
together. The governments and corporations are tracking this and now
know even more about you. At least, that's what people worry about.
In Linux, enabling the privacy extensions adds an additional,
temporary IPv6 address to the interface, with a randomized "MAC" part,
and it changes regularly (every hour or two? something like that). The
link-local address still contains the MAC-based IPv6 address, and the
standard routable IPv6 address is also available but not used by
default for outgoing connections. So, inside your network, things are
predictable and unchanging, which makes management of clients, routing
of traffic, firewall rules, etc. easier to deal with. To the outside
world, your IP address is constantly changing and can't be used to
track you as easily as it would be if the MAC portion of the address
were consistent.
In Windows, however, when that option is enabled, they wrongly
randomize ALL of the addresses, even the local, rather than just
creating a temp random public address. Which means every time that
machine reboots it's going to look like a new client on the local
network, and any local network setup you have pertaining to a certain
IP are going to be a pain to maintain. Depending on your usage, maybe
that doesn't matter, but in general, on Windows machines, it's
considered a buggy implementation and is undesired.
In Linux, it should be absolutely fine to use. In your
/etc/sysctl.conf you can add these lines to enable it on every
interface by default, assuming you enabled in your kernel config:
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
next prev parent reply other threads:[~2011-06-09 15:53 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-08 1:27 [gentoo-user] IPv6 not ready here; Hmmm Dale
2011-06-08 1:53 ` Dale
2011-06-08 2:18 ` Adam Carter
2011-06-08 5:31 ` Mick
2011-06-08 5:29 ` [gentoo-user] " Hans de Graaff
2011-06-08 17:01 ` [gentoo-user] " Volker Armin Hemmann
2011-06-08 18:59 ` Dale
2011-06-09 3:25 ` Volker Armin Hemmann
2011-06-09 4:56 ` Dale
2011-06-09 6:59 ` Volker Armin Hemmann
2011-06-08 19:51 ` Paul Hartman
2011-06-08 22:04 ` Mick
2011-06-09 1:25 ` Paul Hartman
2011-06-09 5:46 ` Mick
2011-06-09 15:06 ` Paul Hartman
2011-06-09 15:51 ` Paul Hartman [this message]
2011-06-09 20:27 ` Mick
2011-06-09 20:52 ` Paul Hartman
2011-06-09 11:16 ` Tanstaafl
2011-06-09 14:23 ` Mick
2011-06-09 16:21 ` Paul Hartman
2011-06-08 19:45 ` Paul Hartman
2011-06-08 20:08 ` Alan McKinnon
2011-06-08 20:01 ` Paul Hartman
2011-06-09 2:15 ` Dale
2011-06-09 3:23 ` Pandu Poluan
2011-06-09 4:50 ` Dale
2011-06-09 5:14 ` Paul Hartman
2011-06-09 6:52 ` Dale
2011-06-09 7:46 ` Alan McKinnon
2011-06-09 8:48 ` Dale
2011-06-10 15:46 ` Dale
2011-06-10 16:03 ` Paul Hartman
2011-06-10 17:39 ` Dale
-- strict thread matches above, loose matches on Subject: below --
2011-06-09 1:52 Pandu Poluan
2011-06-10 1:52 Pandu Poluan
2011-06-10 7:22 ` Joost Roeleveld
2011-06-10 10:08 ` Pandu Poluan
2011-06-10 13:17 ` Joost Roeleveld
2011-06-10 14:30 ` Alan McKinnon
2011-06-10 15:59 ` Joost Roeleveld
2011-06-10 16:04 ` Paul Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BANLkTimhGsLyiMDh+0oqAJPdyMA3o5Qf6g@mail.gmail.com \
--to=paul.hartman+gentoo@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox