I want my Windows boxes to:
- Use 'privacy' addresses for outgoing connections
- Have a EUI64 address to listen for incoming connections
- Not use any legacy tunneling protocols
This can be enabled permanently using the following batch script:
| Code Block | ||
|---|---|---|
| ||
REM enables RFC 4941 privacy extensions (i.e. temporary address for outgoing connections) netsh interface ipv6 set privacy state=enabled store=active netsh interface ipv6 set privacy state=enabled store=persistent REM Don't use random identifier. This will result in EUI64 based adddresses netsh interface ipv6 set global randomizeidentifiers=disabled store=active netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent REM disable unused tunneling protocols netsh interface ipv6 6to4 set state disabled netsh interface ipv6 isatap set state disabled netsh interface ipv6 set teredo disabled |
| Note |
|---|
The order of the two first blocks seems to matter. If you put the |
Remove address
For servers it makes sense to have statically configured addresses, and avoid dynamic/privacy stuff as much as possible.
However, you might have started out with privacy stuff on, and have to remove things:
| Code Block | ||
|---|---|---|
| ||
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dilbert
Primary Dns Suffix . . . . . . . : terena.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : terena.org
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-DB-AF-95
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:610:148:babe:20c:29ff:fedb:af95(Preferred)
IPv6 Address. . . . . . . . . . . : 2001:610:148:babe:cafe::3(Preferred)
Link-local IPv6 Address . . . . . : fe80::20c:29ff:fedb:af95%10(Preferred)
Default Gateway . . . . . . . . . : 2001:610:148:babe::1
fe80::ceef:48ff:fe5e:f3c8%10
DNS Servers . . . . . . . . . . . : 2001:610:1:800a:192:87:106:106
2001:610:188:140:145:100:188:188
NetBIOS over Tcpip. . . . . . . . : Disabled |
To remove the EUI-64 address 2001:610:148:babe:20c:29ff:fedb:af95, first find the interface number:
| Code Block |
|---|
C:\Users\Administrator>netsh interface ipv6 show addresses Interface 1: Loopback Pseudo-Interface 1 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Interface 10: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Public Preferred 29d23h57m39s 6d23h57m39s 2001:610:148:babe:20c:29ff:fedb:af95 Manual Preferred infinite infinite 2001:610:148:babe:cafe::3 Other Preferred infinite infinite fe80::20c:29ff:fedb:af95%10 |
The trick is to disable autoconfiguration on that interface:
| Code Block |
|---|
C:\Users\Administrator>netsh interface ipv6 set interface 10 routerdiscovery=disabled Ok. |
Now it should be gone:
| Code Block |
|---|
C:\Users\Administrator>netsh interface ipv6 show addresses Interface 1: Loopback Pseudo-Interface 1 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Interface 10: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Manual Preferred infinite infinite 2001:610:148:babe:cafe::3 Other Preferred infinite infinite fe80::20c:29ff:fedb:af95%10 |
Time servers
To configure Windows servers to use the SURFnet NTP boxes:
| Code Block |
|---|
C:\Users\Administrator>w32tm /config /manualpeerlist:"chime3.surfnet.nl chime4.surfnet.nl",0x8 /syncfromflags:MANUAL |