I want my Windows boxes to:
- Use 'privacy' addresses for outgoing connections
- Have a EUI64 address to listen for incoming connections
- Not use any legacy tunneling protocols
This can be enabled permanently using the following batch script:
REM enables RFC 4941 privacy extensions (i.e. temporary address for outgoing connections) netsh interface ipv6 set privacy state=enabled store=active netsh interface ipv6 set privacy state=enabled store=persistent REM Don't use random identifier. This will result in EUI64 based adddresses netsh interface ipv6 set global randomizeidentifiers=disabled store=active netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent REM disable unused tunneling protocols netsh interface ipv6 6to4 set state disabled netsh interface ipv6 isatap set state disabled netsh interface ipv6 set teredo disabled
The order of the two first blocks seems to matter. If you put the randomizeidentifiers block before the privacy block, then Windows will still use randomizeidentifiers...
Remove address
For servers it makes sense to have statically configured addresses, and avoid dynamic/privacy stuff as much as possible.
However, you might have started out with privacy stuff on, and have to remove things:
C:\Users\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dilbert
Primary Dns Suffix . . . . . . . : terena.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : terena.org
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-DB-AF-95
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:610:148:babe:20c:29ff:fedb:af95(Preferred)
IPv6 Address. . . . . . . . . . . : 2001:610:148:babe:cafe::3(Preferred)
Link-local IPv6 Address . . . . . : fe80::20c:29ff:fedb:af95%10(Preferred)
Default Gateway . . . . . . . . . : 2001:610:148:babe::1
fe80::ceef:48ff:fe5e:f3c8%10
DNS Servers . . . . . . . . . . . : 2001:610:1:800a:192:87:106:106
2001:610:188:140:145:100:188:188
NetBIOS over Tcpip. . . . . . . . : Disabled
To remove the EUI-64 address 2001:610:148:babe:20c:29ff:fedb:af95, first find the interface number:
C:\Users\Administrator>netsh interface ipv6 show addresses Interface 1: Loopback Pseudo-Interface 1 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Interface 10: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Public Preferred 29d23h57m39s 6d23h57m39s 2001:610:148:babe:20c:29ff:fedb:af95 Manual Preferred infinite infinite 2001:610:148:babe:cafe::3 Other Preferred infinite infinite fe80::20c:29ff:fedb:af95%10
The trick is to disable autoconfiguration on that interface:
C:\Users\Administrator>netsh interface ipv6 set interface 10 routerdiscovery=disabled Ok.
Now it should be gone:
C:\Users\Administrator>netsh interface ipv6 show addresses Interface 1: Loopback Pseudo-Interface 1 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Interface 10: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Manual Preferred infinite infinite 2001:610:148:babe:cafe::3 Other Preferred infinite infinite fe80::20c:29ff:fedb:af95%10
Time servers
To configure Windows servers to use the SURFnet NTP boxes:
C:\Users\Administrator>w32tm /config /manualpeerlist:"chime3.surfnet.nl chime4.surfnet.nl",0x8 /syncfromflags:MANUAL