Why does my Windows have hundreds of temporary IPv6 addresses?

17

8

My ISP enabled IPv6 for me a few weeks ago. Now I noticted that Windows (8.1) gets a lot of temporary IPv6 addresses. ipconfig has the following output (real addresses are obfuscated):

Windows IP Configuration

Ethernet adapter Ethernet:

    Connection-specific DNS Suffix  . : fritz.box
    IPv6 Address. . . . . . . . . . . : 2012:65:fd85:5712:e0ca:9e76:661f:c4f1
    Temporary IPv6 Address. . . . . . : 2012:65:fd85:5712:74:5cd9:163c:69ef
    Temporary IPv6 Address. . . . . . : 2012:65:fd85:5712:89:8f2:7643:e51e
    Temporary IPv6 Address. . . . . . : 2012:65:fd85:5712:e3:52fd:b15f:6d7d
    [...over 600 more entries...]
    Temporary IPv6 Address. . . . . . : 2012:65:fd85:5712:fda8:816e:6d3:7713
    Temporary IPv6 Address. . . . . . : 2012:65:fd85:5712:fdc9:7a6b:d2c5:e880
    Temporary IPv6 Address. . . . . . : 2012:65:fd85:5712:fdf4:11ed:9aba:9e27
    Link-local IPv6 Address . . . . . : fe80::e0ca:9e76:661f:c4f1%3
    IPv4 Address. . . . . . . . . . . : 192.168.178.22
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : fe80::a96:d7ff:fe1f:cb26%3
                                        192.168.178.1

I really have not idea where all these addresses are coming from. My Mac OS X on the same network has no problems with temporary IPv6 addresses. In addition to being a strange issue, I believe the amount of IPv6 addresses is slowing done my network performance on Windows.

Does anyone have an idea what is triggering this behaviour and how to prevent it. I wouldn't like to disable temporary IPv6 addresses completely if possible.

fschoenm

Posted 2014-01-19T15:10:44.967

Reputation: 291

Just while writing this question, my Windows got about 50 temporary IPv6 addresses more. – fschoenm – 2014-01-19T15:13:01.350

1Do you have a program opening connections and keeping them open? That's the usual cause of this. Also, none of those addresses are actually valid; 2012::/8 has not yet been allocated. That could be a problem too. – Michael Hampton – 2014-01-19T15:32:00.500

@MichaelHampton: Sorry, I obfuscated the addresses somewhat. The addresse are valid, you have to believe me :) – fschoenm – 2014-01-19T15:38:00.610

@MichaelHampton: I will try to find if I have a program that's opening connections. But I wonder why it would require new connections if the previous ones are still left open. – fschoenm – 2014-01-19T15:40:29.617

6

(BTW, if you want to obfuscate your IPv6 addresses, always use 2001:db8::/32, (RFC 3849) which will make it clear that they are example addresses.)

– Michael Hampton – 2014-01-19T15:43:47.350

1

The addresses themselves are partially randomly generated. Read the Randomly generated interface identifier section of: http://msdn.microsoft.com/en-us/library/aa915616.aspx

– Brian – 2014-01-19T15:46:50.210

@Brian: I know that they are randomly generated. I want to know why I have >800 of them. – fschoenm – 2014-01-19T15:51:11.030

netstat -b -p TCPv6 says I have only about 15 open IPv6 TCP connections. – fschoenm – 2014-01-19T15:56:02.373

Answers

15

Does anyone have an idea what is triggering this behaviour and how to prevent it?

From the link Brian gave you, "Temporary addresses are generated for public address prefixes that use stateless address autoconfiguration."

More specifically, each process generates a resource request and the OS delivers. The IPv6 SAA is defined in RFC 2462, but the "Temporary IPv6 Address" is because of Windows implementation of RFC 4941. So the question becomes what process is responsible for initiating an OS request to open a socket that has these Privacy Extensions.

To answer your question what is triggering this, let's look at hardware and software.

OS

Windows manages temporary addresses with parameters defined in netsh interface ipv6 show privacy. To modify netsh interface ipv6 set privacy ?

To check what they are set to on a Linux machine, you would check the kernel variables in /proc/sys/net. You may find the pertinent values for your distro with sysctl -a --pattern ^net\..*ipv?6.*temp.* and alter the desired variable with sysctl -w foo.bar.var=<new value> (it should be similar on your Apple machine, check man sysctl)

Hardware/OS

You did netstat -p TCPv6, but it may not be a TCP connection.

Do a netstat -bes a few minutes from each other and see what diff between the *v6 blocks are.

While I suppose it could be a hardware issue in that the NIC firmware is failing at handling ipv6, it is more likely to be software OS/process being the trigger. If it is hardware, the software side may not be handling the break in the session gracefully and is unable to resume the connection on the previous IP. So IDing it as a software issue doesn't necessarily preclude a hardware issue.

Software/OS system processes and services

For this, view network traffic with http://www.nirsoft.net/utils/network_traffic_view.html to identify the process.

Because these addresses, by definition, are temporary, they can remain temporarily after the process ends, so you may not be seeing a current, running process with an open connection in NTV if the socket closes immediately.

For this use Process Explorer (http://live.sysinternals.com/tools/procexp.exe) and difference highlighting (Options > Difference Highlighting Duration > 9) and then scroll to new processes (View > Scroll to new processes). An entire row green/red shows a process created or destroyed, respectively, in the last 9 seconds.

Once you identify the process, if it is a browser or any app with plugins, you will have to debug which plugin or website javascript could possibly be causing the issue by starting the browser in safe mode and enabling plugin by plugin.

adam

Posted 2014-01-19T15:10:44.967

Reputation: 549

Thanks, I'm going to try some of that stuff. However, after a reboot my Windows has no temporary IPv6 address at all anymore so I have to wait. This is really frustrating. – fschoenm – 2014-01-19T18:02:34.203

1I think I found my problem: When trying to use NetworkTrafficView as you suggested, I noticed that my WinPcap installation was somehow corrupted. I couldn't use neither Wireshark nor NetworkTrafficView because they both hung when started. I reinstalled WinPcap and since then everything seems to work flawlessly! – fschoenm – 2014-01-19T20:18:58.113

1

Because IPv6 address identifiers remain static, for security reasons, temporary addresses are used. Temporary addresses are IPv6 interface identifiers that provide a level of anonymity. These addresses can be randomly generated and changed over time. The IPv6 protocol for Windows creates temporary addresses for global address prefixes by default.

I do not recommend disabling temporary IPv6 addresses. However you can disable temporary IPv6 addresses with the following commands and a reboot

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled

In Windows 10 and Server 2016 you can use PowerShell Set-NetIPv6Protocol cmdlet to set limits:

# The computer always generates temporary addresses by using random numbers. 
Set-NetIPv6Protocol -UseTemporaryAddresses Always

# The computer generates temporary addresses by using the interface identifier. 
# You typically use this identifier for test purposes. 
Set-NetIPv6Protocol -UseTemporaryAddresses Counter

# The computer does not use temporary addresses. 
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# The computer uses temporary addresses.
Set-NetIPv6Protocol -UseTemporaryAddresses Enabled

To find what process is using the temporary address check the item with local address column matching your temporary address in netstat output:

netstat -p tcpv6 -o -f -b

If that fails to find anything you need to use a tracing tool, such as Sysmon

To perform this with SysMon create an XML file IPv6.xml with following text:

<Sysmon schemaversion="3.2">
<EventFiltering>
    <NetworkConnect onmatch="include">
        <SourceIsIpv6>true</SourceIsIpv6>
    </NetworkConnect>
</EventFiltering>
</Sysmon>

Then download SysMon and install configuration file:

SysMon -i IPv6.xml

This will log IPv6 connections in Windows Event log under Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

When monitoring is complete stop monitoring:

SysMon -u

If you filter by "Event ID 3" you will get the network events, with details such as below:

Log Name:      Microsoft-Windows-Sysmon/Operational
Source:        Microsoft-Windows-Sysmon
Date:          9/01/2018 9:55:08 PM
Event ID:      3
Task Category: Network connection detected (rule: NetworkConnect)
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      DESKTOP-RTTN04O
Description:
Network connection detected:
UtcTime: 2018-01-09 10:55:06.915
ProcessGuid: {14ab83bf-c0d9-5a52-0000-00102da40e00}
ProcessId: 3628
Image: C:\Windows\System32\svchost.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: true
SourceIsIpv6: true
SourceIp: 2001:8003:550d:d400:b81c:a2ed:f99a:b31f
SourceHostname: DESKTOP-RTTN04O.gateway
SourcePort: 55723
SourcePortName: 
DestinationIsIpv6: true
DestinationIp: 2001:8006:3510:393:0:0:0:25bb
DestinationHostname: 
DestinationPort: 443
DestinationPortName: https

Malcolm McCaffery

Posted 2014-01-19T15:10:44.967

Reputation: 111

-3

My bet is you are watching Netflix and/or Amazon Prime Video and your browser is setting a temp v6 address for each stream.

Mark

Posted 2014-01-19T15:10:44.967

Reputation: 1

2No need to bet. The browser isn’t obtaining any IPv6 addresses, simply because it can’t. – Daniel B – 2016-04-19T16:40:04.263

Asked: 2014-01-19T15:10:44.967

Viewed: 36 300 times

Active: 2018-01-09T11:04:56.463