IPv6 Privacy Extensions: Stop Address Tracking

When you connect to a network with IPv6, your device might be broadcasting a permanent identifier derived from your network card's MAC address. This makes you trackable across different networks and websites.

The Privacy Problem#

The original IPv6 addressing scheme uses EUI-64 to generate Interface IDs from MAC addresses. Your network card's MAC 00:1a:2b:3c:4d:5e becomes part of your IPv6 address as 021a:2bff:fe3c:4d5e.

Here's how the conversion works:

MAC address:    00:1a:2b:3c:4d:5e
Insert FF:FE:   00:1a:2b:ff:fe:3c:4d:5e
Flip 7th bit:   02:1a:2b:ff:fe:3c:4d:5e
Interface ID:   021a:2bff:fe3c:4d5e

The 7th bit flip (universal/local bit) is part of the EUI-64 standard. The 00 becomes 02 because that bit indicates whether the address is globally unique.

This creates several problems:

• Cross-network tracking: Your device carries the same Interface ID whether you're at home, at a coffee shop, or on public WiFi
• Persistent identification: Websites can correlate visits over time, even if you clear cookies
• MAC address disclosure: Your hardware identifier is exposed in every packet

Unlike IPv4's NAT which hides internal addresses, IPv6 typically assigns globally routable addresses directly to devices. Without privacy extensions, you're broadcasting the same identifier everywhere.

How Privacy Extensions Work#

RFC 4941 (updated by RFC 8981) introduces temporary addresses that replace EUI-64 derived addresses. Instead of using your MAC address, your device generates random Interface IDs.

The mechanism creates two types of addresses:

Stable address: Generated from your MAC or a random seed. Used for incoming connections and stays consistent for the network. Not used for outbound traffic.

Temporary address: Randomly generated, used for outbound connections, rotates periodically (typically every 24 hours on most systems).

When you browse the web or make outbound connections, your OS uses the temporary address. The stable address remains available for services that need to reach your device.

Your device maintains multiple IPv6 addresses simultaneously:

2001:db8:1234:5678:021a:2bff:fe3c:4d5e  # Stable (EUI-64 or stable private)
2001:db8:1234:5678:a4b2:c9d1:e3f4:5a6b  # Temporary (currently active)
2001:db8:1234:5678:1234:5678:9abc:def0  # Temporary (deprecated, expiring)

The rotation happens automatically. Old addresses enter a "deprecated" state before expiring completely, ensuring active connections don't break.

Enabling Privacy Extensions#

Windows#

Privacy extensions are enabled by default on Windows since Vista. Verify with PowerShell:

Get-NetIPv6Protocol | Select-Object UseTemporaryAddresses

Output 2 means enabled for outbound connections. Configure manually:

# Enable temporary addresses
Set-NetIPv6Protocol -UseTemporaryAddresses Enabled

# Disable (not recommended)
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

Check your current addresses:

Get-NetIPAddress -AddressFamily IPv6 -PrefixOrigin RouterAdvertisement

Temporary addresses show Preferred lifetime values that count down.

macOS#

Enabled by default on modern macOS. Verify:

sysctl net.inet6.ip6.use_tempaddr

Returns 1 if enabled. Configure with:

# Enable
sudo sysctl -w net.inet6.ip6.use_tempaddr=1

# Make permanent
echo "net.inet6.ip6.use_tempaddr=1" | sudo tee -a /etc/sysctl.conf

Temporary address lifetime (in seconds):

sysctl net.inet6.ip6.temppltime  # Preferred lifetime
sysctl net.inet6.ip6.tempvltime  # Valid lifetime

Linux#

Configuration varies by distribution. Most modern distributions enable privacy extensions by default, but check:

sysctl net.ipv6.conf.all.use_tempaddr

• 0 = disabled
• 1 = enabled, prefer public addresses
• 2 = enabled, prefer temporary addresses (recommended)

Enable properly:

sudo sysctl -w net.ipv6.conf.all.use_tempaddr=2
sudo sysctl -w net.ipv6.conf.default.use_tempaddr=2

Make it permanent by editing /etc/sysctl.conf or creating /etc/sysctl.d/99-ipv6-privacy.conf:

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

Apply changes:

sudo sysctl -p

Check active addresses:

ip -6 addr show scope global

Temporary addresses are marked with temporary flag and show preferred_lft and valid_lft values.

Mobile Devices#

iOS: Privacy extensions enabled by default since iOS 4.3. No user configuration available.

Android: Enabled by default on Android 8.0+. Earlier versions may use stable addresses. Check in Settings → About → Status, though you cannot typically disable privacy extensions.

When NOT to Use Privacy Extensions#

Privacy extensions break scenarios requiring stable addresses:

Servers and services: If you're running a web server, SSH daemon, or any service that needs incoming connections, disable privacy extensions or configure the service to bind to the stable address specifically.

# Linux: disable for specific interface
sudo sysctl -w net.ipv6.conf.eth0.use_tempaddr=0

DNS records: You cannot point DNS at a rotating address. Servers need stable IPs.

Network equipment: Routers, firewalls, and network infrastructure should use stable addressing for management.

Firewall rules: If you whitelist specific addresses, temporary addresses will break when they rotate.

Logging and monitoring: Correlating logs across address changes becomes difficult. For internal networks where privacy isn't a concern, stable addresses simplify troubleshooting.

Beyond Privacy Extensions#

Privacy extensions only protect the Interface ID. Your /64 prefix still reveals your ISP and general location. Additional measures:

VPN with IPv6 support: Tunnels all traffic through the VPN provider's IPv6 address space. Verify your VPN actually routes IPv6 traffic; many disable IPv6 entirely, which leaks your real IPv6 address.

Test for leaks at test-ipv6.com while connected to your VPN.

Prefix rotation: Some ISPs rotate your /64 prefix periodically. This is rare and not standardized. Most residential connections keep the same prefix indefinitely.

Tor: Tor supports IPv6 at exit nodes, but many relays are IPv4-only. Your traffic might exit over IPv4 even if you have IPv6 connectivity.

NAT66: Network Address Translation for IPv6 exists but breaks the end-to-end principle and is controversial. Not recommended.

The most practical combination: privacy extensions enabled on client devices + VPN for complete address masking when needed.

Check your current privacy posture by visiting ping6.net and noting whether your Interface ID changes over time (it should with privacy extensions enabled).

Privacy extensions are a basic security measure that should be enabled on all client devices. They're not perfect protection, but they eliminate the most obvious tracking vector in IPv6 addressing.

Related Articles#

• IPv6 Security Best Practices - Protect your network against IPv6-specific threats
• DHCPv6 vs SLAAC - Understanding address assignment and privacy implications