IPv6 Privacy Extensions

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address. Of course, each operating system has its own way to enable privacy enhanced addresses.

Windows 7

You can use “netsh” to enable and configure privacy enhanced addresses. Use

1	netsh interface ipv6 show privacy

to query the status, and

1	netsh interface ipv6 set privacy state=enabled

to enable it. In my testing, privacy enhanced addresses were enabled and I wasn’t actually able to disable them (a possible bug?).


OS X uses the sysctl command to change various kernel parameters, including privacy enhanced addresses. By default, EUI-64 is used.

To enable, run

1	sudo sysctl -w net.inet6.ip6.use_tempaddr=1

and cycle the interfaces (ifconfig en0 down; ifconfig en0 up). However, to have this setting survive a reboot, create a file called /etc/sysctl.conf and add the line:

1	net.inet6.ip6.use_tempaddr=1


as root, similar to OS X, update the respective /proc entries

1	echo 1 > /proc/sys/net/ipv6/conf/all/use_tempaddr
2	echo 1 > /proc/sys/net/ipv6/conf/default/use_tempaddr
3	echo 1 > /proc/sys/net/ipv6/conf/eth0/use_tempaddr

Linux uses an /etc/sysctl.conf file, just like OS X, to make these changes persistent during reboots.

Anything with the word privacy tends to sound good. There is a catch to this however. Many vendors network equipment doesn’t have sufficient memory to hold all the IP addresses in the smallest IPv6 allocation (a /64). Because of this, an attacker can use use this to run the device(s) out of memory. Depending on the vendor, this has different consequences ranging from simply flushing all IPs from the device and re-learning all the clients, all the way to crashing. Clearly, vendors aren’t yet ready for IPv6 to be deployed in production. Be careful.