NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Prevent IPv6 Tracking (RFC 4941/ 8981)
Do any of the NetGear WiFi Routers implement RFC 4941 or RFC 8981 to prevent IPv6 tracking of internal devices? Or are there any Netgear WiFi Routers that allow you to disable IPv6 altogether? ...
Enabling/disabling IPv6 is often found in the web management interface (not the 'app') on an Advanced menu.
This RFC8981 topic is WAY above my comfort level. Not clear (to me) whether the router or the individual device is responsible for it. My Windows PC, for example, shows a bunch of "Temporary" IPv6 addresses which seem to relate to RFC8981.
My Windows PC, for example, shows a bunch of "Temporary" IPv6 addresses
Those are likely link-local addresses (private addresses, so not internet routable).
The gist of the RFC is that a persistant and globally unique ipv6 address creates inherent privacy issues, because the ipv6 address is sent unencrypted in every packet sent to or from the device. That reveals a lot of information about the user of that device.
Honestly this issue is also there in ipv4, just not as fine-grained. Although the client IP is masked by NAT, the WAN address of the router can be used similarly to reveal information about the people using that router. And most ISPs don't change ipv4 address assignments very often.
Anyway, the RFC outlines several ways the interface ID portion of the ipv6 address can be randomized to make such tracking more difficult. The manual you referenced says that by default the router generates the IID from the mac address (page 46) - so it does not use the privacy extensions in the RFC.
A custom ipv6 IID for the router LAN interface could be set, but it's not the default option. Shouldn't the client devices enforce RFC privacy extensions with stateless auto configuration?
Shouldn't the client devices enforce RFC privacy extensions with stateless auto configuration?
Yes. With SLAAC, clients self-assign ipv6 addresses, the router is not involved. Windows, MacOS, Android, and iOS stacks implement the RFC 8981 privacy extensions. I believe most Linux distros disables the extensions by default. So setting auto config should result in getting the privacy extensions (along with enabling the feature on any linux systems).
With DHCPv6, clients can request temporary addresses from the server, but the server is not required to have that feature (see RFC 8415 section 13.2). I don't know if Netgear's DHCPv6 server can provide temporary addresses or not (and if it does, I don't know the lifetime of those addresses).
Those are likely link-local addresses (private addresses, so not internet routable).
Just to follow up on this. CrimpOn​ was seeing both link-local and temporary addresses, and I think is using auto config.
Default LAN ipv6 LAN address assignment is auto config in the router and Android doesn't support DHCPv6!
Windows generates it's own temporary ipv6 addresses in SLACC mode. With DHCPv6 enabled in router, it gets the ip address from the router.