0

I configured my Hurricane Electric IPv6 tunnel, and all is working well with my router, router advertisements, auto configured addresses, etc.

I want a static source address on IPv6 traffic to make for sane firewall rules. I have use this Powershell commandlet to disable temporary addresses, which seems to have worked.

https://learn.microsoft.com/en-us/powershell/module/nettcpip/set-netipv6protocol?view=windowsserver2022-ps

Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

However, I still have my default slaac assigned address in addition to my statically configured address, and Windows uses that as the source address on outgoing requests.

Are auto configured (not temporary) IPv6 addresses obtained from the router advertisement static/stable?

What is current best practice for "static" IPv6 in modern Windows to ensure my source address is consistent?

There are various netsh options available, but those seem to be out of favour, with the PowerShell scripts preferred, but I don't see the operation I want.

this doesn't solve my issue, as I've already disabled temporary addresses Why does my Windows have hundreds of temporary IPv6 addresses?

DavidPostill
  • 156,873
Brian
  • 225
  • 1
    Why not implement firewall rules based on the client fqdn? – M. Behrens Jan 19 '23 at 20:34
  • @M.Behrens well, it's the source IPv6 address that matters, which is the IP that will show up in the log. I originally set my fqdn to my manual IP address, but that was just the prefix, a bunch of zeros, and last IPv4 octet at the end. But by default, Windows (and Linux I think) uses the autoconf address by default for the source address, which is what the firewall will see. Since it seems the slaac derived address is static (and my prefix is static) then my address shouldn't change, and I just used that IP for PTR records. – Brian Jan 19 '23 at 21:05

1 Answers1

1

The interface ID for SLAAC configuration is usually static. (That's the whole reason for the existence of additional "temporary" address.) It is not obtained via SLAAC – only the prefix is obtained via SLAAC while the suffix is selected by the host.

In older Windows versions, the interface ID was always based on the interface's MAC address; in newer versions the default is to choose the IID according to a hash of some local secret plus the advertised network prefix (so it stays static without revealing the MAC address, but changes if the host moves to a different /64).

u1686_grawity
  • 452,512
  • thanks! Yes, actually I learned some of that after I posted. I have left "randomized" ID enabled, as you described. And you're right, I'm still working on my terminology for IPv6...not really "obtained" from slaac...derived from slaac I guess is better? My prefix is static so no worries there from a static standpoint. I guess the idea of truly static/user defined addresses have fallen out of favour in IPv6? – Brian Jan 19 '23 at 21:02