IPv6 and Privacy

IPv6 makes it easy to track you. Let me explain.

IPv6 is composed of a Prefix and a suffix:
IPv6 address: 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30
Prefix: 2001:0DB8:1fc3:481:
Suffix: b357:83ff:fecb:4c30

The prefix changes according to your internet access (at home, work, friend’s…) but the Suffix is deduced from your MAC address and will be always the same for one computer.
So even if your IPv6 Adresse changes, the end of it is unique and identifies your device for sure.

The counter mesure is called IPv6 Privacy Address.
When you enable this policy on your computer, a second IPv6 is randomly affected during autoconfiguration, called Temporary IPv6 address. Even if you cannot change the Prefix, the Suffix changes each time.
It means: you can still contact your computer with the previous IPv6 address, but in the other way (when the computer connect to the internet) it will have a different random address. It has got 2 addresses.
Windows Vista/Seven: it’s enabled by default, you certainly saw “Temporary IPv6 Address” in your ipconfig
Mac OS X 10.6: you have to enable it

How to enable IPv6 Privacy Address on Mac?

you must create the file /etc/sysctl.conf with the following content:

net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1

Next restart you’ll get a second IPv6 address and it will be prefered for every internet access.

But I use to protect my servers via the IP address!

Many SSH/FTP/HTTPS servers use IP Addresses to filter access. You would like to keep always the same IP.

I think that every client software should be able to choose which IPv6 address it want to use (since we have 2 IPv6 in Privacy Mode), I guess it will become common very soon. For example in ssh you can add the following line in .ssh/config :

BindAddress 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30

But I think, most of the time, a limited access can be based on the prefix of your IPv6 address. Allowing all your local network to access.

One thought on “IPv6 and Privacy”

Leave a Reply

Your email address will not be published. Required fields are marked *