IPv6 Privacy Addresses (RFC 4941/8981)

SLAAC privacy extensions: temporary vs stable interface identifiers, how they protect privacy, and configuration guidance.

What are IPv6 Privacy Addresses?

IPv6 privacy addresses (temporary addresses) are automatically generated to prevent tracking based on stable interface identifiers. They're created alongside stable addresses and change periodically. Without privacy extensions, devices use predictable interface identifiers (often based on MAC addresses), making them trackable across networks.

The Privacy Problem

Standard IPv6 addresses often contain predictable interface identifiers that remain constant across different networks, creating privacy concerns similar to a permanent device fingerprint.

IPv6 Address Types

Stable Address (Standard SLAAC)

Formation: Prefix + EUI-64 or configured interface ID

Example: 2001:db8:1234:5678:21a:2bff:fe3c:4d5e

Privacy Level: Poor - enables tracking across networks

Characteristics:

Interface identifier stays the same across networks
Often derived from MAC address using EUI-64
Predictable and trackable across network changes
Required for some services that need consistent addressing

Temporary Address (Privacy Extension)

Formation: Prefix + cryptographically generated random bits

Example: 2001:db8:1234:5678:a1b2:c3d4:e5f6:7890

Privacy Level: Good - prevents cross-network tracking

Characteristics:

Randomly generated interface identifier
Changes periodically (daily by default)
Multiple temporary addresses can coexist
Used for outbound connections by default

Stable Private Address (RFC 7217)

Formation: Prefix + hash of secret key + network info

Example: 2001:db8:1234:5678:9abc:def0:1234:5678

Privacy Level: Better - network-specific but stable

Characteristics:

Stable within the same network
Changes when moving to different networks
More predictable than temporary addresses
Good balance of privacy and stability

How Privacy Extensions Work

Address Generation Process

Device receives Router Advertisement with prefix
Creates stable address using EUI-64 or configured method
Generates temporary address using cryptographic random bits
Both addresses are assigned to the same interface
Temporary address preferred for outbound connections

Temporary Address Lifecycle

New temporary address generated periodically
Old temporary addresses remain valid until expiry
Multiple temporary addresses can coexist
Addresses have preferred and valid lifetimes
Deprecated addresses still accept incoming traffic

Default Operating System Behavior

Outbound connections use temporary addresses
Inbound services use stable addresses
Applications can request specific address types
Operating system manages address selection automatically

Address Lifetimes

Preferred Lifetime

How long address is preferred for new connections

Typical: 1 day (86400 seconds)

Behavior: After expiry, address can receive but not initiate connections

Valid Lifetime

How long address remains usable

Typical: 7 days (604800 seconds)

Behavior: After expiry, address is completely removed

Regeneration Interval

How often new temporary addresses are created

Typical: 5 minutes to 24 hours

Behavior: New address created before old one expires

Max Temporary Addresses

Maximum temporary addresses per prefix

Typical: 5-10 addresses

Behavior: Oldest addresses removed when limit reached

Operating System Support

Windows

Default Behavior: Privacy extensions enabled by default (Vista+)

Configuration:

netsh interface ipv6 set global randomizeidentifiers=enablednetsh interface ipv6 set privacy state=enabledRegistry: HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters

Useful Commands:

netsh interface ipv6 show privacynetsh interface ipv6 show addresses

Linux

Default Behavior: Varies by distribution, often disabled by default

Configuration:

sysctl net.ipv6.conf.all.use_tempaddr=2sysctl net.ipv6.conf.default.use_tempaddr=2/proc/sys/net/ipv6/conf/*/use_tempaddr

Values:

0 = Disabled
1 = Enabled but prefer stable
2 = Enabled and prefer temporary

Useful Commands:

ip -6 addr show scope globalcat /proc/sys/net/ipv6/conf/eth0/use_tempaddr

macOS

Default Behavior: Privacy extensions enabled by default

Configuration:

Built into system preferencesnetworksetup command line toolSystem-wide setting affects all interfaces

Useful Commands:

ifconfig | grep inet6networksetup -getinfo Wi-Fi

Android

Default Behavior: Privacy extensions enabled by default (Android 8+)

Configuration:

Settings > Network & Internet > AdvancedDeveloper options for advanced controlPer-network configuration possible

Useful Commands:

Behavior: Randomizes MAC and uses privacy addresses

Identifying Address Types

Method	Stable Address	Temporary Address	Example
Interface Identifier Pattern	Often contains 'fffe' in middle (EUI-64) or predictable pattern	Random-looking interface identifier	Stable: ::21a:2bff:fe3c:4d5e vs Temporary: ::a1b2:c3d4:e5f6:7890
Address Consistency	Same interface ID across different network prefixes	Different interface ID on each network	Device keeps same ::21a:2bff:fe3c:4d5e on all networks vs random on each
Command Output	Often labeled as 'permanent' or primary	Labeled as 'temporary' or 'deprecated'	Linux ip command shows 'temporary' flag

Troubleshooting

Privacy addresses not working

Symptoms: Same IPv6 address on different networks, Tracking concerns

Diagnosis: Check OS privacy extension settings

Solutions:

Enable privacy extensions in OS settings
Verify router supports SLAAC
Check for disabled IPv6 privacy in network manager

Too many IPv6 addresses

Symptoms: Multiple IPv6 addresses per interface, Address list constantly changing

Diagnosis: Privacy extensions working normally

Solutions:

This is normal behavior for privacy extensions
Adjust regeneration timers if needed
Reduce max temporary addresses if causing issues

Applications using wrong address

Symptoms: Server not reachable, Unexpected source addresses

Diagnosis: Address selection preference issues

Solutions:

Configure application to bind specific addresses
Adjust address selection policy
Use stable addresses for server applications

Privacy addresses not preferred

Symptoms: Always using stable addresses for outbound

Diagnosis: Address selection policy favoring stable addresses

Solutions:

Configure temporary address preference
Check application-specific settings
Verify privacy extension configuration

Security Considerations

Privacy Protection

Benefits:

Prevents device tracking across networks
Makes traffic analysis more difficult
Reduces correlation of activities
Protects against location tracking

Limitations:

Application-layer tracking still possible
DNS queries may reveal information
Stable addresses still exposed for services
Requires proper application configuration

Network Management

Benefits:

Devices harder to target maliciously
Reduces effectiveness of IP-based blocking
Makes reconnaissance more difficult

Challenges:

Harder to whitelist specific devices
Complicates network troubleshooting
May interfere with IP-based access control
Requires different monitoring approaches

When to Use Privacy Addresses

Client Devices

Recommendation: Enable privacy extensions

Reasoning: Protects user privacy without impacting functionality

Configuration: Prefer temporary addresses for outbound connections

Servers

Recommendation: Use stable addresses

Reasoning: Consistent addressing needed for services

Configuration: Disable privacy extensions or use stable addresses only

IoT Devices

Recommendation: Consider device requirements

Reasoning: Balance privacy with device management needs

Configuration: May need stable addresses for remote management

Enterprise Networks

Recommendation: Policy-based approach

Reasoning: Different requirements for different device types

Configuration: Client devices: privacy on, servers: stable addresses

Best Practices

Enable privacy extensions on client devices
Use stable addresses only for servers and infrastructure
Configure appropriate regeneration intervals
Monitor for privacy extension support in applications
Balance privacy with network management needs
Document which services require stable addressing
Test applications with privacy addresses enabled
Consider RFC 7217 stable privacy addresses for better balance

Common Mistakes

Assuming all IPv6 addresses are permanent
Not testing applications with privacy addresses
Blocking temporary addresses in firewalls
Using temporary addresses for server services
Not understanding address selection preferences
Confusing temporary addresses with link-local addresses
Expecting consistent addressing with privacy extensions enabled

Quick Reference

Address Types

Stable: Same interface ID everywhere (trackable)

Temporary: Random interface ID, changes periodically (private)

Stable Privacy (7217): Stable per-network, changes between networks

Identification

EUI-64 pattern (fffe in middle) = stable address

Random-looking interface ID = temporary address

Multiple addresses per interface = privacy extensions active

Configuration

Windows: netsh interface ipv6 set privacy state=enabled

Linux: sysctl net.ipv6.conf.all.use_tempaddr=2

macOS: System Preferences > Network > Advanced

Troubleshooting

Multiple IPv6 addresses = normal with privacy extensions

Same address everywhere = privacy extensions disabled

Services unreachable = check stable address binding

Key Point

Privacy extensions create multiple IPv6 addresses per interface. Temporary addresses change periodically for
          privacy, while stable addresses remain consistent for services. Both can coexist on the same interface.

Useful Tools

ip -6 addr show

Show all IPv6 addresses with flags (Linux)

ipconfig /all

Display IPv6 addresses and configuration (Windows)

ifconfig

Show network interfaces and addresses (Unix/macOS)

netsh interface ipv6 show addresses

Detailed IPv6 address info (Windows)

sysctl net.ipv6.conf.all.use_tempaddr

Check privacy extension status (Linux)