IPv6 stateless address configuration in Windows 7 uses randomization by default

Stateless autoconfiguration of IPv6 addresses in Windows 7 (and also Windows Vista) uses, by default, randomization. This is against section 4 of RFC 2464 that mandates that the network identifier part of the IPv6 address is derived from the 48-bit MAC address for Ethernet (and Wireless) interfaces:

4. Stateless Autoconfiguration

The Interface Identifier [AARCH] for an Ethernet interface is based on the EUI-64 identifier [EUI64] derived from the interface’s built-in 48-bit IEEE 802 address. The EUI-64 is formed as follows. (Canonical bit order is assumed throughout.)

The OUI of the Ethernet address (the first three octets) becomes the company_id of the EUI-64 (the first three octets). The fourth and fifth octets of the EUI are set to the fixed value FFFE hexadecimal. The last three octets of the Ethernet address become the last three octets of the EUI-64.

The Interface Identifier is then formed from the EUI-64 by complementing the “Universal/Local” (U/L) bit, which is the next-to-lowest order bit of the first octet of the EUI-64. Complementing this bit will generally change a 0 value to a 1, since an interface’s built-in address is expected to be from a universally administered address space and hence have a globally unique value. A universally administered IEEE 802 address or an EUI-64 is signified by a 0 in the U/L bit position, while a globally unique IPv6 Interface Identifier is signified by a 1 in the corresponding position. For further discussion on this point, see [AARCH].

For example, the Interface Identifier for an Ethernet interface whose built-in address is, in hexadecimal,

34-56-78-9A-BC-DE

would be

36-56-78-FF-FE-9A-BC-DE.

A different MAC address set manually or by software should not be used to derive the Interface Identifier. If such a MAC address must be used, its global uniqueness property should be reflected in the value of the U/L bit.

An IPv6 address prefix used for stateless autoconfiguration [ACONF] of an Ethernet interface must have a length of 64 bits.

The fact that Windows 7 doesn’t seem to adhere to this by default might create interoperability problems in networks where section 4 of RFC 2464 is assumed to be true. Linux, *BSD and Solaris map adhere to RFC 2464 by default, and hence many administrators statically create DNS AAAA RRs for such hosts. However, randomization in Windows makes this unfeasible.

A workaround consists of running the following command, with administrator privileges:

netsh interface ipv6 set global randomizeidentifiers=disabled

I’ve sent feedback to Microsoft asking if this is deliberate and why this decision was made in the first place. (Not sure if they will ever reply, though).

Do any of you have any insight on this?

Advertisements

8 thoughts on “IPv6 stateless address configuration in Windows 7 uses randomization by default

  1. Hi, it works, but only to first reboot. After reboot randomizeidentifiers are enabled again. “set global store=persistent” doesn’t work. Has anybody some solution? Tnx

  2. you are really a good webmaster. The site loading speed is incredible. It seems that you’re doing any unique trick. Moreover, The contents are masterpiece. you have done a great job on this topic!

  3. It’s actually a nice and helpful piece of info. I am glad that you shared this useful info with us. Please keep us up to date like this. Thanks for sharing.

  4. This article is on 16 spot in google’s search results, if you want more
    visitors, you should build more backlinks to your
    posts, there is one trick to get free, hidden backlinks from
    authority forums, search on youtube; how to get hidden backlinks from forums

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s