IPv6 and Privacy

From Wikichris
Jump to: navigation, search

The issue

IPv6 makes it easy to track you. Let me explain.

IPv6 is composed of a Prefix and a suffix:

  • IPv6 address: 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30
  • Prefix: 2001:0DB8:1fc3:481:
  • Suffix: b357:83ff:fecb:4c30

The prefix changes according to your internet access (at home, work, friend’s…) but the Suffix is deduced from your MAC address and will be always the same for one computer.

So even if your IPv6 Adresse changes, the end of it is unique and identifies your device for sure.

Counter Mesure

The counter mesure is called IPv6 Privacy Address.

When you enable this policy on your computer, a second IPv6 is randomly affected during autoconfiguration, called Temporary IPv6 address. Even if you cannot change the Prefix, the Suffix changes each time.

It means: you can still contact your computer with the previous IPv6 address, but in the other way (when the computer connect to the internet) it will have a different random address. It has got 2 addresses.

Windows Vista/Seven

it’s enabled by default, you certainly saw “Temporary IPv6 Address” in your ipconfig

Mac OS X 10.6

you have to enable it

How to enable IPv6 Privacy Address on Mac?

you must create the file /etc/sysctl.conf with the following content:

net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1

Next restart you’ll get a second IPv6 address and it will be prefered for every internet access.

2 IPv6 available

How to use the fixed IP address sometimes

We often use IP filters to protect our servers via the clients' addresses!

Many SSH/FTP/HTTPS servers use IP Addresses to filter access. You would like to keep always the same IP.

I think that every client software should be able to choose which IPv6 address it want to use (since we have 2 IPv6 in Privacy Mode), I guess it will become common very soon. For example in ssh you can add the following line in .ssh/config (works on linux and Mac OS X) :

BindAddress 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30

But I think, most of the time, a limited access can be based on the prefix of your IPv6 address. Allowing all your local network to access.

Tips

SSH

For ssh, sometime I want to force the use of my ipv4 address even if an IPv6 connection would be possible. Here are some useful command for your .ssh/config

  • Force the use of IPv4
AddressFamily inet
  • Force the use of IPv6
AddressFamily inet6
  • Allow both
AddressFamily any
  • Force the client to use this precise IPv6 address, obtained from DNS
BindAddress mycomputer.company.com

Example of my /home/chris/.ssh/config

Host *.company.net *.company.com *.companygroup.com
  port 22
  protocol 2
  PubKeyAuthentication yes
  PasswordAuthentication no
  ForwardX11 yes
  ForwardX11Trusted yes
  User cgonz
  ServerAliveInterval 5

Host srv4.company.com
  port 222
  User root

Host srv*.myhome.com *chris.myhome.com
  BindAddress 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30

Host *.myhome.com
  port 22222
  #BindAddress 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30
  AddressFamily inet
  #AddressFamily inet6
  #AddressFamily any
  protocol 2
  PubKeyAuthentication yes
  PasswordAuthentication no
  User chris
  ServerAliveInterval 5

Host *
  protocol 2
  PubKeyAuthentication yes
  PasswordAuthentication yes
  User chris
  ServerAliveInterval 5