IPv6 and Privacy
IPv6 makes it easy to track you. Let me explain.
IPv6 is composed of a Prefix and a suffix:
- IPv6 address: 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30
- Prefix: 2001:0DB8:1fc3:481:
- Suffix: b357:83ff:fecb:4c30
The prefix changes according to your internet access (at home, work, friend’s…) but the Suffix is deduced from your MAC address and will be always the same for one computer.
So even if your IPv6 Adresse changes, the end of it is unique and identifies your device for sure.
The counter mesure is called IPv6 Privacy Address.
When you enable this policy on your computer, a second IPv6 is randomly affected during autoconfiguration, called Temporary IPv6 address. Even if you cannot change the Prefix, the Suffix changes each time.
It means: you can still contact your computer with the previous IPv6 address, but in the other way (when the computer connect to the internet) it will have a different random address. It has got 2 addresses.
it’s enabled by default, you certainly saw “Temporary IPv6 Address” in your ipconfig
Mac OS X 10.6
you have to enable it
How to enable IPv6 Privacy Address on Mac?
you must create the file /etc/sysctl.conf with the following content:
Next restart you’ll get a second IPv6 address and it will be prefered for every internet access.
How to use the fixed IP address sometimes
We often use IP filters to protect our servers via the clients' addresses!
Many SSH/FTP/HTTPS servers use IP Addresses to filter access. You would like to keep always the same IP.
I think that every client software should be able to choose which IPv6 address it want to use (since we have 2 IPv6 in Privacy Mode), I guess it will become common very soon. For example in ssh you can add the following line in .ssh/config (works on linux and Mac OS X) :
But I think, most of the time, a limited access can be based on the prefix of your IPv6 address. Allowing all your local network to access.
For ssh, sometime I want to force the use of my ipv4 address even if an IPv6 connection would be possible. Here are some useful command for your .ssh/config
- Force the use of IPv4
- Force the use of IPv6
- Allow both
- Force the client to use this precise IPv6 address, obtained from DNS
Example of my /home/chris/.ssh/config
Host *.company.net *.company.com *.companygroup.com port 22 protocol 2 PubKeyAuthentication yes PasswordAuthentication no ForwardX11 yes ForwardX11Trusted yes User cgonz ServerAliveInterval 5 Host srv4.company.com port 222 User root Host srv*.myhome.com *chris.myhome.com BindAddress 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30 Host *.myhome.com port 22222 #BindAddress 2001:0DB8:1fc3:481:b357:83ff:fecb:4c30 AddressFamily inet #AddressFamily inet6 #AddressFamily any protocol 2 PubKeyAuthentication yes PasswordAuthentication no User chris ServerAliveInterval 5 Host * protocol 2 PubKeyAuthentication yes PasswordAuthentication yes User chris ServerAliveInterval 5