Sane Windows IP configuration: Disabling IPv6 privacy extensions and enabling ICMP echo

01 Aug 2021 - tsp
Last update 01 Aug 2021
Reading time 2 mins

This really is just a quick and short note to keep a reference for the required commands in one place.

Who doesn’t know this whenever a Windows machine (unfortunately) joins a network? It uses randomized IPv6 addresses even though this has not been explicitly enabled - which technically is exactly what should not be the case when one refers to RFC4941 - and then these machines have such a broken default configuration that they do not even respond to standard ICMP echo requests.

To fix this one can simply disable IPv6 privacy extensions and allow ICMP echo requests inside the windows firewall using netsh (executed from an elevated command prompt or script running with elevated privileges):

interface ipv6 set global randomizeidentifiers=disabled store=active
interface ipv6 set global randomizeidentifiers=disabled store=persistent
interface ipv6 set privacy state=disabled store=active
interface ipv6 set privacy state=disabled store=persistent
firewall set icmpsetting 8

Some notes about the reasons for this blog post

Why is blocking ICMP echo a bad idea? First of one doesn’t gain any security from that. Second it makes diagnosis in case of network problems much harder. It’s really just a bad idea and makes life of network administrators way harder - and some network utilities depend on it like monitoring solutions, some DHCP servers that verify if IP addresses are still in use in networks that have a huge number of fast vanishing clients, etc. Some firewalls go even further and block ICMP at a whole which is the worst idea ever since it disables basic features of IP networks such as source quench (rate limiting), MTU discovery and many more basic features.

And IPv6 privacy extensions with their temporary addresses? Their basic idea is that they should block the ability to track devices moving through different IPv6 networks just like a super cookie since the lower 64 bits of an IPv6 address are usually calculated from the devices unique MAC address. This is a valid concern of course but on the other hand random and indeterministic assigned addresses of devices for outgoing traffic also make life of system administrators harder - and the device keeps it’s usually IPv6 address too anyways. So there might be situations when IPv6 privacy extensions are indeed a nice idea - but as mentioned above there are reasons why the RFC mentions they should be disabled by default.