IPv6

MacOS 10.7 and IPv6 privacy addressing

buraglio | 74 | |

I’m not a fan of IPv6 privacy addressing. I understand the logic behind it, I really doo, obfuscate the LLADDR (MAC address) of the host in question, but I really dont’t see the realistic purpose. If someone wanted to use my mac address, what good would that really get them, unless they’re on the same layer 2 segment? More importantly, if they;re on the same layer 2 segment, they have my MAC address anyway.
Privacy addresses cause more heartburn than they cure. How do I track someone who has a rotating address? Am I scraping the neighbor table of my network equipment often enough to have reasonable accountability? Probably, but what if I’m not? I could go on and on about how I think RFC4941 addresses aren’t that useful, but instead I’ll just write down how to disable them (I’ve always been known as more of a machete than a scalpel anyway =).

With MacOS 10.7 (Lion) it’s now on by default. To disable it, you need to open a terminal and type:

sudo sysctl -w net.inet6.ip6.use_tempaddr=0

Poof! There you go. You should be using DHCPv6 anyway =) *cue vendors getting off their rear ends and implementing dhcpv6 relay*

—edit—
A good point made by Charley Kline, to make this persist across reboots a line needs to be added to your /etc/sysctl.conf.

To accomplish this, edit /etc/sysctl.conf

sudo vi /etc/sysctl.conf

Add the following line:

net.inet6.ip6.use_tempaddr=0





–edit–




For all you windows users:


XP:


netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set privacy state=disabled


Vista:


netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy disabled


I assume Windows 7 is similar to Vista, but I have not tested.




[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

 





Recommended for You










3 thoughts on “MacOS 10.7 and IPv6 privacy addressing


    

  1. 

    


    
Charley
 · Edit 
    

    

    I think the real security issue with EUI-64 address assignment is that your IPv6 address contains your same MAC address, wherever you go. So your movements are trackable between home, work, and coffee shop networks. It has less to do with what the L2 address actually is.
    



    

    

    2. 

  2. 

    


    
Charley
 · Edit 
    

    

    Also, you missed a part of the command to turn it off; it’s:
    

    sudo sysctl -w net.inet6.ip6.use_tempaddr=1
    

    To make it permanent across reboots requires editing /etc/sysctl.conf.
    



    

    

    3. 

  3. 

    


    
Nick Buraglio
 · Edit 
    

    

    I don’t buy the tracking of the mac address. I guess it’s feasible, but spoofing a mac is so easy nowadays, I just don’t see the point. There are so many ways to track a user via http logs, logged access to shared resources, etc. that I just don’t buy that it’s any easier than any other mechanism. 
    

    sudo sysctl -w net.inet6.ip6.use_tempaddr=1 wil enable the tempaddr, 
    sudo sysctl -w net.inet6.ip6.use_tempaddr=0 disables it, if I recall correctly. Good point about the /etc/sysctl.conf. I’ll add that in.
    



    

    

    4. 



Comments are closed.