I’m not a fan of IPv6 privacy addressing. I understand the logic behind it, I really doo, obfuscate the LLADDR (MAC address) of the host in question, but I really dont’t see the realistic purpose. If someone wanted to use my mac address, what good would that really get them, unless they’re on the same layer 2 segment? More importantly, if they;re on the same layer 2 segment, they have my MAC address anyway.
Privacy addresses cause more heartburn than they cure. How do I track someone who has a rotating address? Am I scraping the neighbor table of my network equipment often enough to have reasonable accountability? Probably, but what if I’m not? I could go on and on about how I think RFC4941 addresses aren’t that useful, but instead I’ll just write down how to disable them (I’ve always been known as more of a machete than a scalpel anyway =).
With MacOS 10.7 (Lion) it’s now on by default. To disable it, you need to open a terminal and type:
sudo sysctl -w net.inet6.ip6.use_tempaddr=0
Poof! There you go. You should be using DHCPv6 anyway =) *cue vendors getting off their rear ends and implementing dhcpv6 relay*
XP:
netsh interface ipv6 set privacy state=disabled
Vista:
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy disabled
I assume Windows 7 is similar to Vista, but I have not tested.
I think the real security issue with EUI-64 address assignment is that your IPv6 address contains your same MAC address, wherever you go. So your movements are trackable between home, work, and coffee shop networks. It has less to do with what the L2 address actually is.
Also, you missed a part of the command to turn it off; it’s:
sudo sysctl -w net.inet6.ip6.use_tempaddr=1
To make it permanent across reboots requires editing /etc/sysctl.conf.
I don’t buy the tracking of the mac address. I guess it’s feasible, but spoofing a mac is so easy nowadays, I just don’t see the point. There are so many ways to track a user via http logs, logged access to shared resources, etc. that I just don’t buy that it’s any easier than any other mechanism.
sudo sysctl -w net.inet6.ip6.use_tempaddr=1 wil enable the tempaddr,
sudo sysctl -w net.inet6.ip6.use_tempaddr=0 disables it, if I recall correctly. Good point about the /etc/sysctl.conf. I’ll add that in.