====== Disable IPv6 Temporary Addresses ======

I've recently start playing around with IPv6 even though my ISP doesn't provide native IPv6 support. I ended up using a tunnel broker, Hurricane Electric, to provide a public route-able IPv6 network. Setting that up is in another document along with configuring router advertisement. FIXME

However, on my Windows servers and workstations, I have noticed the each of my LAN interfaces have 2 are more IPv6 addresses:
<code>
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:470:fe34::2
   IPv6 Address. . . . . . . . . . . : 2001:470:fe34:0:7d9e:e8eb:a4d7:a943
   Temporary IPv6 Address. . . . . . : 2001:470:fe34:0:4df6:7618:db3c:fcb6
   Link-local IPv6 Address . . . . . : fe80::7d9e:e8fb:a4b6:a943%11
   IPv4 Address. . . . . . . . . . . : 192.168.111.151
   Subnet Mask . . . . . . . . . . . : 255.255.255.128
   Default Gateway . . . . . . . . . : 2001:470:fe34::1
                                       fe80::21b1:d8ff:fe7b:b9ac%11
                                       192.168.111.129
</code>

I did some [[http://technet.microsoft.com/en-us/library/cc736439(WS.10).aspx|research]] and it turns out to be a "[[https://isc.sans.edu/diary.html?storyid=10966|security feature]]" related to "Temporary Address Interface Identifiers"

<WRAP center round info 60%>
Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address.
</WRAP>

This means that after every reboot of the computer, the IPv6 address that is presented to the network changes. This makes things like DNS and firewall rules are a problem to manage in a corporate environment. You can disable this behavior and just use the interface based EUI-64 address by running the following commands in an elevated command prompt:

<code dos>
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
</code>

Restart your machine. After the reboot, the machine will have a stable IPv6 address based on the MAC address of the interface that you can use in DNS and firewall rules. This address will remain consistent across machine reboots.