NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Prevent IPv6 Tracking (RFC 4941/ 8981)
Do any of the NetGear WiFi Routers implement RFC 4941 or RFC 8981 to prevent IPv6 tracking of internal devices? Or are there any Netgear WiFi Routers that allow you to disable IPv6 altogether? ...
My Windows PC, for example, shows a bunch of "Temporary" IPv6 addresses
Those are likely link-local addresses (private addresses, so not internet routable).
The gist of the RFC is that a persistant and globally unique ipv6 address creates inherent privacy issues, because the ipv6 address is sent unencrypted in every packet sent to or from the device. That reveals a lot of information about the user of that device.
Honestly this issue is also there in ipv4, just not as fine-grained. Although the client IP is masked by NAT, the WAN address of the router can be used similarly to reveal information about the people using that router. And most ISPs don't change ipv4 address assignments very often.
Anyway, the RFC outlines several ways the interface ID portion of the ipv6 address can be randomized to make such tracking more difficult. The manual you referenced says that by default the router generates the IID from the mac address (page 46) - so it does not use the privacy extensions in the RFC.
A custom ipv6 IID for the router LAN interface could be set, but it's not the default option. Shouldn't the client devices enforce RFC privacy extensions with stateless auto configuration?
Shouldn't the client devices enforce RFC privacy extensions with stateless auto configuration?
Yes. With SLAAC, clients self-assign ipv6 addresses, the router is not involved. Windows, MacOS, Android, and iOS stacks implement the RFC 8981 privacy extensions. I believe most Linux distros disables the extensions by default. So setting auto config should result in getting the privacy extensions (along with enabling the feature on any linux systems).
With DHCPv6, clients can request temporary addresses from the server, but the server is not required to have that feature (see RFC 8415 section 13.2). I don't know if Netgear's DHCPv6 server can provide temporary addresses or not (and if it does, I don't know the lifetime of those addresses).
Those are likely link-local addresses (private addresses, so not internet routable).
Just to follow up on this. CrimpOn was seeing both link-local and temporary addresses, and I think is using auto config.
Default LAN ipv6 LAN address assignment is auto config in the router and Android doesn't support DHCPv6!
Windows generates it's own temporary ipv6 addresses in SLACC mode. With DHCPv6 enabled in router, it gets the ip address from the router.
Windows generates its own temporary ipv6 addresses in SLACC mode.
Which is what I said above, right? Clients self-assign their ipv6 addresses (both main and temporary).
With DHCPv6 enabled in router, it gets the ip address from the router.
Of course. What router are you using? Do you seeing temporary addresses on the PC when you are using DHCPv6?
As I mentioned, the DHCPv6 RFC includes generation and distribution of temporary addresses, but only as an optional facility.
Android doesn't support DHCPv6!
Good to know. I use iOS myself.
If windows firewall is set to allow inbound traffic in ipv6, the temporary ipv6 addresses are internet routable. I had tested that.