IPV6 with Windows 10 DNS and Link-Local Address used for Global Address
-
Since the most recent Windows 10 update, I have noted that my pfSense box appears to be providing the IPV6 Server DNS address twice for Windows 10. My assumption is that this is due to the Router Mode being set to "Assisted" under DHCPV6 Router Advertisements.. While this is likely due to a change with Windows 10, I was wondering which mode would apply the pfSense box IPV6 address only once, rather than twice in ipconfig under Windows 10.
On another IPV6 address issue, for some reason the IPV6 under Windows 10 the link-local address is being appended to a preferred global IPV6 which seems to obviate privacy by linking the address to a constant address. Has anyone seen this behavior?
Thanks
-
@PabloAbonia said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:
On another IPV6 address issue, for some reason the IPV6 under Windows 10 the link-local address is being appended to a preferred global IPV6 which seems to obviate privacy by linking the address to a constant address. Has anyone seen this behavior?
Appended??? As in a total of 256 bits??? With IPv6, the link local address is often used for routing. Perhaps you could better explain what you mean by "appended".
-
Link Local (LL):
fe80::abcd:abcd:abcd:abcd
Global Prefix (GP):
XXXX:XXXX:XXXX:XXXX::
Identifiable Preferred Windows 10 address: GP appended to LL
XXXX:XXXX:XXXX:XXXX:abcd:abcd:abcd:abcd
That should be sufficient for understanding.
Pablo
-
I see you need to learn a few things about IPv6 addressing. First off, :: is simply a string of zeros, long enough to fit the space between the specified bits at the ends. Also, addresses are often specified with a prefix for the first 64 bits and the 48 bit MAC address expanded to 64 bits for the last 64. In this case, your MAC will be reflected in the global address, as well as link local. However, there are also privacy addresses that use a frequently changing random number for the last 64 bits. It is also common to use a consistent random number, in place of the MAC based address. Normally, the MAC or consistent random addresses are used for incoming connections and the privacy addresses for outgoing. This hides you MAC based address from normal use, unless you specifically make it available for a server, etc..
-
@JKnott What you said is not correct. It's more complicated than that. Windows can either use a random number to create the link-local address or EUI-64, which is derived from the MAC. By default, it uses a random number. Here is a link about this: https://sid-500.com/2018/02/07/ipv6-how-windows-generates-link-local-addresses-eui-64/
Here is the output from ipconfig /all from one of my windows 10 computers. My pfsense is set to assisted.
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-5C-E2-0F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
#1 IPv6 Address. . . . . . . . . . . : 2001:569:ABCD:6900::2000(Preferred)
Lease Obtained. . . . . . . . . . : Saturday, March 30, 2019 4:34:32 PM
Lease Expires . . . . . . . . . . : Sunday, March 31, 2019 10:17:49 AM
#2 IPv6 Address. . . . . . . . . . . : 2001:569:ABCD:6900:8cc7:33cc:dcfd:9a39(Preferred)
#3 Temporary IPv6 Address. . . . . . : 2001:569:ABCD:6900:c7b:aad2:1598:8b59(Preferred)
#4 Link-local IPv6 Address . . . . . : fe80::8cc7:33cc:dcfd:9a39%7(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.103(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, March 30, 2019 4:34:32 PM
Lease Expires . . . . . . . . . . : Sunday, March 31, 2019 10:23:31 AM
Default Gateway . . . . . . . . . : fe80::1:1%7
192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 50337117
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-2E-DC-B6-00-15-5D-5C-E2-0F
DNS Servers . . . . . . . . . . . : 2001:569:ABCD:6900:215:5dff:fe5c:e22d
192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
localdomain#1 is DHCP
#2 and #4 have the same 64 bit random extension
#3 is the privacy address, which is totally different.You can see that my computer is set to the default, which uses a randomized number, not EUI-64.
-
@bimmerdriver said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:
@JKnott What you said is not correct. It's more complicated than that. Windows can either use a random number to create the link-local address or EUI-64, which is derived from the MAC. By default, it uses a random number. Here is a link about this: https://sid-500.com/2018/02/07/ipv6-how-windows-generates-link-local-addresses-eui-64/
I believe that's what I said with "It is also common to use a consistent random number, in place of the MAC based address." I said "consistent" to contrast with "frequently changing", where I was discussing privacy addresses. The consistent random numbers are used in place of MAC based. Regardless, you use the consistent address, whether MAC or random based, for incoming connections to servers, etc. and the privacy addresses for outgoing. It is possible to configure the OS to use either method of consistent address and also whether to use privacy addresses.
-
@JKnott said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:
@bimmerdriver said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:
@JKnott What you said is not correct. It's more complicated than that. Windows can either use a random number to create the link-local address or EUI-64, which is derived from the MAC. By default, it uses a random number. Here is a link about this: https://sid-500.com/2018/02/07/ipv6-how-windows-generates-link-local-addresses-eui-64/
I believe that's what I said with "It is also common to use a consistent random number, in place of the MAC based address." I said "consistent" to contrast with "frequently changing", where I was discussing privacy addresses. The consistent random numbers are used in place of MAC based. Regardless, you use the consistent address, whether MAC or random based, for incoming connections to servers, etc. and the privacy addresses for outgoing. It is possible to configure the OS to use either method of consistent address and also whether to use privacy addresses.
Okay, I misread your post.
-
@JKnott
Address #2 is the preferred address which is not assigned from pfSense via DHCPv6, and is generated by Windows 10. It is derived from the prefix, and the fe80 address in address found under #4It is indeed not a EUI64 address (lacks the FF:FE address and MAC information).
I've never seen address #2 used in an outgoing connection, but I don't know what this globally identifiable address is being used for.
#1 IPv6 Address. . . . . . . . . . . : 2001:569:ABCD:6900::2000(Preferred)
Lease Obtained. . . . . . . . . . : Saturday, March 30, 2019 4:34:32 PM
Lease Expires . . . . . . . . . . : Sunday, March 31, 2019 10:17:49 AM
#2 IPv6 Address. . . . . . . . . . . : 2001:569:ABCD:6900:8cc7:33cc:dcfd:9a39(Preferred)
#3 Temporary IPv6 Address. . . . . . : 2001:569:ABCD:6900:c7b:aad2:1598:8b59(Preferred)
#4 Link-local IPv6 Address . . . . . : fe80::8cc7:33cc:dcfd:9a39%7(Preferred)Pablo
-
@PabloAbonia said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:
8cc7:33cc:dcfd:9a39
Unless you disable privacy, #3 will be used. Windows 10 has been working as above for as long as I can remember.
-
@PabloAbonia said in IPV6 with Windows 10 DNS and Link-Local Address used for Global Address:
Address #2 is the preferred address which is not assigned from pfSense via DHCPv6, and is generated by Windows 10. It is derived from the prefix, and the fe80 address in address found under #4
This is entirely normal. With IPv6, you have a 64 bit prefix and 64 bit suffix. With the consistent address (MAC or random) it will have exactly the same suffix as the link local. You will see this even more, if you also use Unique Local Addresses. Then you will see the same suffix for link local, Unique Local Addresses and Global Unique addresses. With the privacy addresses, you will also have GUA and ULA with matching suffixes. Entirely normal.