NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Prevent IPv6 Tracking (RFC 4941/ 8981)
Do any of the NetGear WiFi Routers implement RFC 4941 or RFC 8981 to prevent IPv6 tracking of internal devices? Or are there any Netgear WiFi Routers that allow you to disable IPv6 altogether?
IPv6 assigns globally unique IPV6 addresses which allow external tracking of activity done by internal devices. I was looking at RS500/RS700S/RS300 and I don't see this option on any of them.
How is Netger protecting the privacy and security of their customers without giving a way to prevent IPv6 tracking?
16 Replies
Danke für die detaillierte Frage. Ich kann zwar nicht für Netgear sprechen, aber generell gilt: IPv6 Privacy Extensions (RFC 4941/8981) werden bei einigen Routern standardmäßig unterstützt, bei anderen muss man sie aktivieren oder konfigurieren. Viele Router erlauben außerdem, IPv6 komplett zu deaktivieren, wobei das je nach Modell unterschiedlich umgesetzt wird.
Grundsätzlich ist es sinnvoll, sowohl auf Betriebssystem- als auch auf Router-Ebene die IPv6-Einstellungen zu prüfen, wenn Datenschutz ein wichtiges Thema ist.
The web interface (not the app) has the setting to disable IPv6. On the new router it was turned off by default. It would be nice if more manufacturers would enable the privacy extensions, but this is sufficient for my needs right now.
The web interface (not the app) has the setting to disable IPv6. On the new router it was turned off by default. It would be nice if more manufacturers would enable the privacy extensions, but this is sufficient for my needs right now.
To be very clear, tracking is possible with IPv4 also. NAT will limit that to the router WAN IP, but that doesn't accomplish much in a home router.
I suggest turning on IPv6 with autoconfig and then see if you have temporary ipv6 addresses on the PC. If you do, then you have the privacy extensions.
Enabling/disabling IPv6 is often found in the web management interface (not the 'app') on an Advanced menu.
This RFC8981 topic is WAY above my comfort level. Not clear (to me) whether the router or the individual device is responsible for it. My Windows PC, for example, shows a bunch of "Temporary" IPv6 addresses which seem to relate to RFC8981.
My Windows PC, for example, shows a bunch of "Temporary" IPv6 addresses
Those are likely link-local addresses (private addresses, so not internet routable).
The gist of the RFC is that a persistant and globally unique ipv6 address creates inherent privacy issues, because the ipv6 address is sent unencrypted in every packet sent to or from the device. That reveals a lot of information about the user of that device.
Honestly this issue is also there in ipv4, just not as fine-grained. Although the client IP is masked by NAT, the WAN address of the router can be used similarly to reveal information about the people using that router. And most ISPs don't change ipv4 address assignments very often.
Anyway, the RFC outlines several ways the interface ID portion of the ipv6 address can be randomized to make such tracking more difficult. The manual you referenced says that by default the router generates the IID from the mac address (page 46) - so it does not use the privacy extensions in the RFC.
A custom ipv6 IID for the router LAN interface could be set, but it's not the default option. Shouldn't the client devices enforce RFC privacy extensions with stateless auto configuration?
Thanks for the reply! I didn't see it in the manual, so I thought it might not have the option.
Every Netgear router I have seen has IPv6 as optional. Turn it on (or off). User choice
The user manual for the RS500 (page 36) has a description of packet inspection done when IPv6 is enabled.
The user manual for the RS500 (page 36) has a description of packet inspection done when IPv6 is enabled.
True, but this does NOT address the concerns raised in RFC8981, which are focused on tracking, not on blocking inbound connections.
