Alan's Journal

Windows 7: IPv6, Privacy Interface Identifiers

So I’ve been setting up my new laptop the last few days; installation a clean installation of Windows 7, setting up all my basic applications and settings, etc.

While doing all of this, I was reminded of something that I’ve had to previously deal with, which affects all Windows 7 computers. Some may say that it’s a good thing and others (most likely system and network administrators) might say that it’s a pain in the arse, especially when you don’t know about it.

While a rarity, my home network is IPv6 enabled through a IPv6 tunnel (provided by Hurricane Electric), not natively because Videotron doesn’t yet officially support IPv6 on their network (although it’s available for beta testing to applicable and willing candidates, which rules me out because I get my services through a reseller). I have radvd setup on my m0n0wall gateway to advertise my allocated /64 block of addresses to the devices on my network.

Now, traditionally, network devices will discover the router advertisements and then automatically configure themselves by combining the provided block prefix along with an encoded version of its MAC address to form its self-allocated IPv6 address.

Some people have complained that the idea of encoding the devices MAC address into the IP address, which is easily viewable to everyone else, is in itself a privacy issue because it lets other (perhaps malicious) people track you based on your device. In order to address this, there was an RFC introduced which specified some basic guidelines for network stack designers to follow in order to provide users with more obfuscated addresses that should alleviate their privacy concerns.

Not many operating systems follow this by default (Linux and Mac OS X certainly don’t) but Windows 7 (and probably Vista as well) does follow this suggested standard. In Windows’ implementation, this means that your network interface receives, in addition to the proper automagically configured address with embedded MAC address and the local-link address, a so-called temporary address which combines the block prefix with a randomly (as far as I know) generated value to form a valid IPv6 address. This address changes from time to time, as its name would imply, based on a fixed interval.

This all seems like a good idea, and I suspect for the average user it would be. However, once you start getting into the nitty gritty of things, that is managing a network with multiple IPv6 devices, then you start encountering issues.

The primary issue I had was with firewall rules at my gateway. Traditionally, firewall rules would apply based on the source IP address. However, because the IPv6 address on my Windows computers would constantly change overtime, this nullified the rules and meant that I would have to update them with the latest IP address that Windows has assigned me. I suspect this is also one of the key complaints that people are having when attempting to get Windows to work with an IPv6 network.

The second issue I had was with reverse DNS entries on my IPv6 block, this one less likely to be an issue with others. It was basically the same issues with the firewall rules, the ever changing address would mean that I’d have to constantly update my rDNS entries which is impractical.

The solution to all of this would be to disable this method IPv6 auto-configuration by Windows and luckily, this is easily possible through 4 simple commands through the Command Prompt.

Making sure to launch your Command Prompt with Administrator privileges (right-click the entry in the Start menu and select Run as Administrator…), type these four commands into the prompt:

netsh interface ipv6 set privacy state=disabled store=active

netsh interface ipv6 set privacy state=disabled store=persistent

netsh interface ipv6 set global randomizeidentifiers=disabled store=active

netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Each command should yield an OK response. Once completed, simply restart your computer and the privacy auto-configuration will be disabled. And that’s all it takes to end your network administration woes.

(Source: blackundertone.wordpress.com)