On Thu, Jun 9, 2011 at 12:46 AM, Mick <michaelkintz...@gmail.com> wrote: >> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 >> addresses, it's generally advised to disable that. You can do that by >> running this at administrator cmd prompt: >> netsh interface ipv6 set global randomizeidentifiers=disabled > > I was looking at the same in the Linux kernel scratching my head if I should > enable this or not ... > > What does it do - not sure I understand what such temporary addresses are used > for: > ============================================ > IPv6: Privacy Extensions (RFC 3041) support > > CONFIG_IPV6_PRIVACY:
Sorry, I described the problem poorly. More specifically I should have said that it should be disabled because Windows does it /wrong/. :) In IPv6, link-local address is required (begins with fe80::) even when an internet-routable address exists. It is derived from your network prefix and your MAC address. Normally, the public IPv6 address also contains your MAC address. Every IPv6 interface is going to have at least 2 different addresses. Imagine a world where IPv6 is everywhere. You take your laptop home, to the cafe, to work, to a hotel on a business trip. Despite using different networks in each place, your MAC address will tie them all together. The governments and corporations are tracking this and now know even more about you. At least, that's what people worry about. In Linux, enabling the privacy extensions adds an additional, temporary IPv6 address to the interface, with a randomized "MAC" part, and it changes regularly (every hour or two? something like that). The link-local address still contains the MAC-based IPv6 address, and the standard routable IPv6 address is also available but not used by default for outgoing connections. So, inside your network, things are predictable and unchanging, which makes management of clients, routing of traffic, firewall rules, etc. easier to deal with. To the outside world, your IP address is constantly changing and can't be used to track you as easily as it would be if the MAC portion of the address were consistent. In Windows, however, when that option is enabled, they wrongly randomize ALL of the addresses, even the local, rather than just creating a temp random public address. Which means every time that machine reboots it's going to look like a new client on the local network, and any local network setup you have pertaining to a certain IP are going to be a pain to maintain. Depending on your usage, maybe that doesn't matter, but in general, on Windows machines, it's considered a buggy implementation and is undesired. In Linux, it should be absolutely fine to use. In your /etc/sysctl.conf you can add these lines to enable it on every interface by default, assuming you enabled in your kernel config: net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2
