There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter
You are here: Home » Windows » Disable IPv6 Temporary Addresses My Internal Area

Disable IPv6 Temporary Addresses

I've recently start playing around with IPv6 even though my ISP doesn't provide native IPv6 support. I ended up using a tunnel broker, Hurricane Electric, to provide a public route-able IPv6 network. Setting that up is in another document along with configuring router advertisement. FIXME

However, on my Windows servers and workstations, I have noticed the each of my LAN interfaces have 2 are more IPv6 addresses: 

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:470:fe34::2
   IPv6 Address. . . . . . . . . . . : 2001:470:fe34:0:7d9e:e8eb:a4d7:a943
   Temporary IPv6 Address. . . . . . : 2001:470:fe34:0:4df6:7618:db3c:fcb6
   Link-local IPv6 Address . . . . . : fe80::7d9e:e8fb:a4b6:a943%11
   IPv4 Address. . . . . . . . . . . : 192.168.111.151
   Subnet Mask . . . . . . . . . . . : 255.255.255.128
   Default Gateway . . . . . . . . . : 2001:470:fe34::1
                                       fe80::21b1:d8ff:fe7b:b9ac%11
                                       192.168.111.129

I did some research and it turns out to be a “security feature” related to “Temporary Address Interface Identifiers”

Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address.

This means that after every reboot of the computer, the IPv6 address that is presented to the network changes. This makes things like DNS and firewall rules are a problem to manage in a corporate environment. You can disable this behavior and just use the interface based EUI-64 address by running the following commands in an elevated command prompt: 

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Restart your machine. After the reboot, the machine will have a stable IPv6 address based on the MAC address of the interface that you can use in DNS and firewall rules. This address will remain consistent across machine reboots.

Copyright © 2022 by Julian Easterling. SOME RIGHTS RESERVED.
Privacy Policy              Terms of Use             


Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.