![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
IPv6 additionals
May. 17th, 2010 08:36 pmSome folks (looking at you, ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
hakeber) may remember this post from 2008 wherein I delivered IPv6 to my network at home.
My poking and prodding with the "next generation" protocol has continued over the following two years. Today I was trying to reach my home machine's IPv6 address from my IPv6-enabled machine at work. I've found a few things that have vexed me. I'm not the first person to find them or post the work-arounds, but I'm probably the first person to put them all together in one place so you can just get all the pain out of the way at once instead of stumbling from one obstacle to the next.
First, I found something important to note about IPv6 on Windows Vista/Windows 7: both Windows Vista and Windows 7, when in stateless autoconfig, use "privacy extensions" (specified in RFC4941) by default rather than EUI-64 addresses (deriving the host portion of the address by using the NIC's MAC as per RFC2464 and RFC2373). What this means is the OS automatically generates random interface IDs for every attached IPv6 interface and uses them for privacy addresses. This is great for "privacy" of users who are primarily content consumers, browsing the web. Every few hours or days they get an entirely new IPv6 address (from their subnet) and thus maintain a degree of anonymity (which completely ignores spyware, tracking cookies and the like but I won't go into that here).
The downside of this great privacy feep is that if I have a machine I want to connect to over IPv6, I'm unlikely to know from day to day what address it has (temporary) nor can I derive what to attach to (public) because they're both scrambled and in no way directly related to the NIC's MAC. Yes, in addition to the "temporary" addresses (used for outbound connections to global addresses) Microsoft has included a "public" privatized address, similarly scrambled but at least not prone to rotation.
Since I have no privacy issues to worry about at home, there's a relatively easy fix that gets rid of all this Security Through Obscurity and gets me back to sane, predictable behavior:
* Open an elevated privilege command prompt
* Disable the "temporary" outbound IPv6 addresses with: netsh int ipv6 set privacy=disable
* Disable non EUI-64 IPv6 interface identifiers with: netsh int ipv6 set global randomizeidentifiers=disabled store=persistent
The second thing I found was, even after configuring my IPv6-over-IPv4 tunnel and firewall to pass traffic through, I still couldn't ping my IPv6 address. What I found was that even though "core IPv6 networking" was permitted through the Windows Vista firewall by default, ICMP echo requests weren't passing properly and were being dropped. In the case of my personal workstation at home, the offending Firewall Policy was the "Public" one. I ended up creating a custom policy to do this. Note that this cannot be done via the basic Windows Firewall interface, that'd be too simple. No, instead I had to:
* Start
* Administrative Tools
* Windows Firewall with Advanced Security
* Inbound Rules
* New Rule
* Custom
* All Programs
* Protocol Type: ICMPv6
* Any IP / Any IP
* Allow the Connection
* Apply to Domain, Private and Public (Though for me only Public was the important one)
* name and describe it
The downside is ANY ICMPv6 packets can get through, beyond the echo request and reply I wanted. I'll likely have to circle back to that.
hakeber) may remember this post from 2008 wherein I delivered IPv6 to my network at home.My poking and prodding with the "next generation" protocol has continued over the following two years. Today I was trying to reach my home machine's IPv6 address from my IPv6-enabled machine at work. I've found a few things that have vexed me. I'm not the first person to find them or post the work-arounds, but I'm probably the first person to put them all together in one place so you can just get all the pain out of the way at once instead of stumbling from one obstacle to the next.
First, I found something important to note about IPv6 on Windows Vista/Windows 7: both Windows Vista and Windows 7, when in stateless autoconfig, use "privacy extensions" (specified in RFC4941) by default rather than EUI-64 addresses (deriving the host portion of the address by using the NIC's MAC as per RFC2464 and RFC2373). What this means is the OS automatically generates random interface IDs for every attached IPv6 interface and uses them for privacy addresses. This is great for "privacy" of users who are primarily content consumers, browsing the web. Every few hours or days they get an entirely new IPv6 address (from their subnet) and thus maintain a degree of anonymity (which completely ignores spyware, tracking cookies and the like but I won't go into that here).
The downside of this great privacy feep is that if I have a machine I want to connect to over IPv6, I'm unlikely to know from day to day what address it has (temporary) nor can I derive what to attach to (public) because they're both scrambled and in no way directly related to the NIC's MAC. Yes, in addition to the "temporary" addresses (used for outbound connections to global addresses) Microsoft has included a "public" privatized address, similarly scrambled but at least not prone to rotation.
Since I have no privacy issues to worry about at home, there's a relatively easy fix that gets rid of all this Security Through Obscurity and gets me back to sane, predictable behavior:
* Open an elevated privilege command prompt
* Disable the "temporary" outbound IPv6 addresses with: netsh int ipv6 set privacy=disable
* Disable non EUI-64 IPv6 interface identifiers with: netsh int ipv6 set global randomizeidentifiers=disabled store=persistent
The second thing I found was, even after configuring my IPv6-over-IPv4 tunnel and firewall to pass traffic through, I still couldn't ping my IPv6 address. What I found was that even though "core IPv6 networking" was permitted through the Windows Vista firewall by default, ICMP echo requests weren't passing properly and were being dropped. In the case of my personal workstation at home, the offending Firewall Policy was the "Public" one. I ended up creating a custom policy to do this. Note that this cannot be done via the basic Windows Firewall interface, that'd be too simple. No, instead I had to:
* Start
* Administrative Tools
* Windows Firewall with Advanced Security
* Inbound Rules
* New Rule
* Custom
* All Programs
* Protocol Type: ICMPv6
* Any IP / Any IP
* Allow the Connection
* Apply to Domain, Private and Public (Though for me only Public was the important one)
* name and describe it
The downside is ANY ICMPv6 packets can get through, beyond the echo request and reply I wanted. I'll likely have to circle back to that.
