IPv6 on Windows 7 is embarassing!
April 25th, 2010 at 21:51Recently I moved to Windows 7 and let Windows XP behind.
Yeah… I know. Using Windows on your desktop is kind of lame… Unfortunately I always was a geek so I never used Linux-friendly distributions. I always was the guy that was installing everything by hand. Compiling, optimizing, patching kernel and others taken to the extreme. After you grow and work a while you reach the point when you have so many things to do that in the final you can not afford anymore one week of compiling and customizing. So… you chose the time effective solution.
And recently I upgraded my distribution to Windows 7. :-)
First I was happy to find that in Windows 7 you don’t need to install, configure from console or making scripts to change your IPv6. Niceee! So, I set my IPv6, check the connection, everything was working well!
In years I developed some habits. And one of them is to see who logged in recently on the server and who is online and from where. So when I logged in on the first server I was surprised to see username “serghei”(mine) logged in from a stateless obtained IPv6. Um… not fine. I have access only from one IP on lot of servers. And when I have a free access point in my home and some free access points at work(all offering stateless IPv6) you must use your own IP!
So, I went to the IPv6 configuration options and searched to disable the stateless auto configuration. Unfortunately found no option there. Well… I thought I must go again as in Windows XP to the console and stop the service. Disappointing… but in the final no biggie …two more minutes of work. To make the story shorter after hours and hours of searching and lot of moments when I hated the Microsoft tech support page I decided to ask some experts. Well… I asked but… I’m still waiting for an answer with a solution. :-)
If you can help me I’ll be very grateful to you. :-)
Meanwhile I used to log in on the servers only using IPv4…
Kind of sad isn’t it ?
Cheers,
Sebastian
P.S. I also tried to at least convince Windows 7 to use my assigned IP and not the one stateless obtained but without success.
Tags: distributions, ip, ipv6, networking, windows
April 26th, 2010 at 7:42 am
Auto configuration takes its instructions from the router. In order to turn off stateless address autoconfiguration (SLAAC), you need to get the router to specify no-autoconfiguration in the router advertisements (RAs) that it sends out. On a Cisco router this looks something like:
interface xxx
ipv6 nd prefix 2405:B000:1234:5678::/64 604800 86400 no-autoconfig
I like to have auto-configuration turned off so that only users who choose to use IPv6 will get an address. We then use a DHCPv6 server to hand out more readable addresses to those machines that don’t have static addresses (basically the same as with IPv4). To use DHCPv6 instead of static addresses, you need to tell your router to enable stateful address auto-configuration (SFAAC ie using a DHCP server) you need to add an “ipv6 nd managed-config-flag” to the above interface definition.
Not all routers allow you control of the RAs. For example, our Cisco firewalls don’t. On those I use an ugly kludge to break SLAAC. I just use a prefix length of greater than 64. The RFC requires that SLAAC breaks if the length is greater than 64 bits since it can’t add a 64 bit EUI-64 interface ID (or 64 bit random number on Windows Vista and later) to the prefix and still fit in 128 bits. Linux boxes generate a warning about invlaid prefix length every minute (ie on every RA)in /var/log/messages, but that can be reconfigured in syslog-ng.conf or put up with.
The other issue to be aware of is that Windows 7 will generate a non-temporary address as well as a temporary one if it can. The temporary address is used for outgoing connections and changed regularly. A real pain if you want to keep track of machiens by IP address. There is a netsh command to turn off temporary addresses and another one to turn off the use of random numbers. The latter reverts back to the RFC standard of using EUI-64 addresses which are based on the MAC address.
For more info, try:
http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx
Hope this helps.
John dot Gibbins at CSIRO dot au
April 26th, 2010 at 5:06 pm
I received a reply from John via email:
“Hi Sebastian,
I was definitely not suggesting turning off Router Advertisements. Turning off the RAs would do nasty things to routing for all IPv6 machines on the subnet even with statically allocated addresses. I was just turning off the auto-config option within the RAs and turning on the manage (use DHCPv6) flag. Turning off the auto-config flag is a little misleading in that it doesn’t turn off auto-configuration, just stateless autoconfiguration. This is appropriate in our situation where we can automate the management of all our MAC addresses (and DUIDs) in our DHCP server. For small home/small networks this isn’t worth the effort.
I’m not sure if you are using the term “stateless address” to refer to the temporary addresses. Both temporary and non-temporary addresses can be assigned statelessly (using a random or EUI-64 interface ID) or statefully using the managed flag and a DHCPv6 server. From experience, if you set the managed flag but don’t turn off auto-configuration in the RAs, you can end up with stateless and stateful addresses making things even messier!
Temporary addresses were created to combat perceived privacy issue. I think that it is a bad solution as a default setting. It makes any form of tracking based on IP addresses very ugly. From the sounds of it, you do just want to turn off temporary addresses (“netsh
interface ipv6 set privacy state=disable” as you said). You may want to use EUI-64 interface identifiers (“netsh interface ipv6 set global randomizeidentifiers=disabled”) as well. They make it slightly easier to track an IP back to a host.
I don’t understand the purpose of blocking access to multicast MAC 33:33:00:01:00:02 (IPv6 ff02::1:2). This is the DHCPv6 server/relay address. Unless your router turns on the managed flag, the host will not send anything to that address and if you don’t have a DHCPv6 server, the packets won’t do anything anyway.
I am the one pushing IPv6 in our organisation so want it to be used. Turning off SLAAC means that I get to control the speed of deployment so that we can fix the problems before they cause problems for unsuspecting users. Having senior management experience problems with something that they don’t see the immediate benefit of is the thing that will do most damage to an IPv6 deployment! At this stage I have IPv6 turned on IPv6 on over 30 routers around the country (Australia). Not many people are using it yet, but I’m hoping this will change later this year.
regards
johng”
April 26th, 2010 at 5:09 pm
And my conclusion was:
“Hello John!
I misunderstood you and I apologize. You are right. Your solution might
be the simplest one until now!
Thank you and wish you happy time playing with IPv6!
Sante!
Sebastian”
I was too blind searching a solution on Windows and didn’t sow the solution offered from John.
In conclusion Windows 7 is still unfriendly. but thanks to John Gibbins I might have the fastest quick fix.
Thank you, John!
February 14th, 2011 at 7:27 am
netsh interface ipv6 set privacy=disabled
VERY irritating though, in my case at least – the only thing I want to ‘unrandomize’ is my outbound SMTP … my damn Spamass on my mailserver adds ~1.5 points if there’s no RDNS for the client the mail comes from … that pushes a lot of my outbound mail up into ‘spam’ territory when it’s from a random IP I haven’t setup reverse for – so it’s spam before it even leaves my network!! I was hoping to de-privacy-ize my SMTP connections but leave the rest privacy’ed, but that does not appear to be possible in Windows 7 (not surprisingly, I suppose) :-/