IPv6 privacy extensions
As I have mentioned in recent posts, I am pretty new to having an IPv6 address so I am only now learning about some of its features and problems. What I describe here is probably familiar to those who are already IPv6 connected.
One of those features — some people consider it a misfeature — is the privacy extensions.
After receiving IPv6 support from my ISP, and after restarting the network so as to access this support, I used the linux command:
# ifconfig -a
to list my IP addresses. And that command showed that I had two IPv6 addresses. One of those began with “fe80:” and was listed as “Scope:Link”. It is intended for communication on the LAN. I actually had that IPv6 address long before my ISP made IPv6 available. Communication on the LAN does not depend on the ISP.
Now that I have IPv6, that “fe80:” address is still there. But I could see that there was another address, which began with “2602:” and was listed as “Scope:Global”. That was the address to be used for communication outside the LAN.
Booting one of my computers to Windows, I used the command
to see the IPv6 (and IPv4) addresses. I could see that there were three IPv6 addresses.
One of those addresses began with “fe80:” and was labeled as “Link-local”. That’s the address intended for use only on the LAN. The other two addresses began with “2602:” (as assigned by the ISP), and are intended for communication beyond the LAN. One of those was labeled “IPv6 Address”, and the other was labeled “Temporary IPv6 Address”. It is the temporary address that comes from the privacy extensions. I’ll refer to the other as the permanent IPv6 address.
I’ll note here that the permanent IPv6 address assigned by Windows was different from that assigned by linux. I discussed that, and how to make them the same, in my previous post.
The privacy issues
With the way that automatic IPv6 address assignment works, the last 64 bits of your permanent IPv6 address is permanent. If you have a mobile device, and travel with it, the IPv6 address will change as that depends on the ISP. But the last part (roughly the last 64 bits) will stay the same.
The privacy concern is that you could be tracked by using these last 64 bits. They are, in effect, a digital signature for your computer. The suggested solution is the use of a temporary IPv6 address with a randomized last 64 bits that changes from time to time (typically once per day). If you are running a server, then somebody connecting from outside would use your permanent IPv6 address, since they would not know the temporary address. But all outbound connections would be made using the temporary IPv6 address. That way, those who would track you won’t be able to use those last 64 bits of the IPv6 address for long term tracking, because that changes.
The critics of this scheme argue that you will be tracked anyway, using other methods such as browser cookies. I am inclined to think that they are correct about that. So I don’t expect my privacy to be affected very much by using a temporary IPv6 address.
There is, however, a second issue. With IPv4, many of us have our computers behind a home router that does NAT address mapping. And, as a side effect of how NAT works, that gives us some firewall protection. An external hacker won’t be able to connect to my computer, unless I have setup port-forwarding for the the particular port used.
There are no plans for widespread use of NAT with IPv6, so we lose that protection. However, we still have some protection (apart from our software firewall). The 128 bit address space for IPv6 addresses is so large, that hackers trying to attack random addresses won’t find much. But that has it weaknesses. Whenever we make a connection, there is likely to be a log of our IPv6 address on the site to which we connected. And that log information sometimes leaks or is stolen by hackers. That would give the hackers a pool of known IPv6 addresses to attack. And that’s where the temporary IPv6 address comes in handy. By the time the hacker gets to see that temporary address, it is probably no longer in use. So you are still protected by the 128 bit address space.
It is because of this latter issue, that I am inclined to favor the use of temporary IPv6 addresses.
There are also reasons to not use a temporary IPv6 address.
A server will be using the permanent IPv6 address for incoming connections. Typically, that permanent IP address will be known outside the LAN. Most of the benefit of a temporary address is lost, if there is also a publically known permanent address that can be used to access your site. If you are running a serious server, you are probably better off not using a temporary IPv6 address.
Reverse DNS (mapping an IP address back to a hostname) seems hopeless for temporary IPv6 addresses. You would need a new rDNS entry every 24 hours. If what you do requires rDNS, you might be wiser to not use a temporary IPv6 address.
Long running connections
Some people maintain long running connections, such as an ssh connection to a remote server. It is possible that the connection might be broken when the temporary IPv6 address is changed. I’m not sure if this is a serious risk. I notice that my ethernet connection currently lists all of the temporary IPv6 addresses since the last boot. So it is possible that a long running connection might not be affected. It may be mostly a matter of whether the local router can still associate that stale temporary IPv6 address with my computer. I’m not currently using long running connections, so I have not tested what happens here.
How to setup
On Windows, the use of a temporary IPv6 address is standard, though it can be disabled. On linux, it depends. On my system with opensuse 13.1, I only saw the permanent IPv6 address. I was able to get a temporary address by switching to the use of NetworkManager. In the NetworkManager settings, I could edit the connection settings. Under the “IPv6 Address” tab, there was a setting for privacy extensions. I switched that from “disabled” to “enabled (prefer temporary address)”.
With my beta-testing of pre-release versions of opensuse 13.2, I notice that I already have a temporary IPv6 address without using NetworkManager. This is probably related to the use of the “wicked” daemon to manage connections. I do not know of a way to disable that, other than switching to NetworkManager and editing the connection settings.
My test install of kubuntu 14.04 also is using a temporary IPv6 address, and that does use NetworkManager.
In Windows, you can turn off the use of privacy extensions with
netsh interface ipv6 set privacy state=disabled
(I have not tested this).