IPv6 allows for the hidding of your computed ipv6 / eui64 address from any external objects. With ipv6 privacy extensions, a remote site will not be able to determine your host machine/nic type just by the eui64 addressing.
The eui64 addressing is simple to compute. And as the name suggests, it crafts the bottom half of the 128bit ipv6 address ( 64bits ). With SLAAC, your router/firewall offers the top half of the 128/bit address which is the 1st 64bits. The easiest way to remember how this process works;
1: take you mac-address & within the 6bytes hex values, insert "FFFE" in the middle of your mac-address
AA:BB:CC:DD:EE:FF would now become AA BB CC FF FE DD EE FF
2: Now find the 1st octect to the far left of this value and take bit #7 and invert it. That mean if the bit is a 1 make it a 0 or if a 0 make it a 1
So using the above fictitious mac-address, I will now have crafted the eui64 address of A8 BB CC EE FF DD EE FF.
Lastly the router and it's ipv6 RA ( route advertisement ) will give you the network prefix(s) that you belong on, & creating your interface ipv6 128bit addressing.
Here's my computer ipv6 address for en0
waffen01~ kfelix$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::426c:8fff:fe03:18c4%en0 prefixlen 64 scopeid 0x4
inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
inet6 2001:414:1::426c:8fff:fe03:18c4 prefixlen 64 autoconf
inet6 2001:414:1::f149:7585:555:b340 prefixlen 64 autoconf temporary
inet6 2001:414:10::426c:8fff:fe03:18c4 prefixlen 64 autoconf
inet6 2001:414:10::97d:3bd2:72a0:7980 prefixlen 64 autoconf temporary
inet6 2001:414:11::426c:8fff:fe03:18c4 prefixlen 64 autoconf
inet6 2001:414:11::b8b4:46a3:70db:a938 prefixlen 64 autoconf temporary
media: autoselect (100baseTX <full-duplex>)
note: I bold the ipv6 address that has eui64 computed addresses.
Notice I'm on three unique ipv6 networks 2001:414:1::/64 ; 2001:414:10::/64 ; 2001:414:11::/64 and each network has 2 unique ipv6 address. One being my eui64 computed address based off my NIC's mac-address and the other one being my ipv6 privacy ipv6 address which is randomly created.
Now if I should go to a website or use anything external to my networks, the privacy extended ipv6 address will be used.
e.g ( a simple ssh to a remote ipv6 cisco router )
waffen01~ kfelix$ ssh cisco@2002:100::2
Line User Host(s) Idle Location
*194 vty 0 cisco idle 00:00:00
2001:414:1:0:F149:7585:555:B340 Interface User Mode Idle Peer Address
Se0/0/0 Sync PPP 00:00:02 18.104.22.168
You notice my address that was used is the ipv6 private one? and not the eui64 computed address?
I hope this helps with understanding ipv6 privacy extensions & how it can help ensure security by privacy. Read more about this security features on the rfc website readhere
If your too lazy to compute the address or want to confirm the address, this handy site has a eui64 computer
FWIW: To disable privacy extensions
echo 2 >/proc/sys/net/ipv6/conff/eth0/use_tempaddr
sudo sysctl -w net.inet6.ip6.use_tempaddr=0
sysctl -a net.inet6.ip6.use_tempaddr
Are you ready for ipv6 ? I can assist in ipv6 migration strategies and network design for ipv6.
kfelix " at " hyperfeed.com
Freelance Security/Network Engineer