Sane Windows IP configuration: Disabling IPv6 privacy extensions and enabling ICMP echo
01 Aug 2021 - tsp
Last update 01 Aug 2021
2 mins
This really is just a quick and short note to keep a reference for the required
commands in one place.
Who doesnβt know this whenever a Windows machine (unfortunately) joins a network?
It uses randomized IPv6 addresses even though this has not been explicitly
enabled - which technically is exactly what should not be the case when
one refers to RFC4941 -
and then these machines have such a broken default configuration that they do
not even respond to standard ICMP echo requests.
To fix this one can simply disable IPv6 privacy extensions and allow ICMP echo
requests inside the windows firewall using netsh
(executed from an
elevated command prompt or script running with elevated privileges):
interface ipv6 set global randomizeidentifiers=disabled store=active
interface ipv6 set global randomizeidentifiers=disabled store=persistent
interface ipv6 set privacy state=disabled store=active
interface ipv6 set privacy state=disabled store=persistent
firewall set icmpsetting 8
Some notes about the reasons for this blog post
Why is blocking ICMP echo a bad idea? First of one doesnβt gain any security
from that. Second it makes diagnosis in case of network problems much harder.
Itβs really just a bad idea and makes life of network administrators way
harder - and some network utilities depend on it like monitoring solutions, some
DHCP servers that verify if IP addresses are still in use in networks that have
a huge number of fast vanishing clients, etc. Some firewalls go even further and
block ICMP at a whole which is the worst idea ever since it disables basic features
of IP networks such as source quench (rate limiting), MTU discovery and many more
basic features.
And IPv6 privacy extensions with their temporary addresses? Their basic idea is
that they should block the ability to track devices moving through different IPv6
networks just like a super cookie since the lower 64 bits of an IPv6 address are
usually calculated from the devices unique MAC address. This is a valid concern
of course but on the other hand random and indeterministic assigned addresses of
devices for outgoing traffic also make life of system administrators harder - and
the device keeps itβs usually IPv6 address too anyways. So there might be situations
when IPv6 privacy extensions are indeed a nice idea - but as mentioned above there
are reasons why the RFC mentions they should be disabled by default.
This article is tagged: