Why does my Windows have hundreds of temporary IPv6 addresses?

Solution 1:

Does anyone have an idea what is triggering this behaviour and how to prevent it?

From the link Brian gave you, "Temporary addresses are generated for public address prefixes that use stateless address autoconfiguration."

More specifically, each process generates a resource request and the OS delivers. The IPv6 SAA is defined in RFC 2462, but the "Temporary IPv6 Address" is because of Windows implementation of RFC 4941. So the question becomes what process is responsible for initiating an OS request to open a socket that has these Privacy Extensions.

To answer your question what is triggering this, let's look at hardware and software.

OS

Windows manages temporary addresses with parameters defined in netsh interface ipv6 show privacy. To modify netsh interface ipv6 set privacy ?

To check what they are set to on a Linux machine, you would check the kernel variables in /proc/sys/net. You may find the pertinent values for your distro with sysctl -a --pattern ^net\..*ipv?6.*temp.* and alter the desired variable with sysctl -w foo.bar.var=<new value> (it should be similar on your Apple machine, check man sysctl)

Hardware/OS

You did netstat -p TCPv6, but it may not be a TCP connection.

Do a netstat -bes a few minutes from each other and see what diff between the *v6 blocks are.

While I suppose it could be a hardware issue in that the NIC firmware is failing at handling ipv6, it is more likely to be software OS/process being the trigger. If it is hardware, the software side may not be handling the break in the session gracefully and is unable to resume the connection on the previous IP. So IDing it as a software issue doesn't necessarily preclude a hardware issue.

Software/OS system processes and services

For this, view network traffic with http://www.nirsoft.net/utils/network_traffic_view.html to identify the process.

Because these addresses, by definition, are temporary, they can remain temporarily after the process ends, so you may not be seeing a current, running process with an open connection in NTV if the socket closes immediately.

For this use Process Explorer (http://live.sysinternals.com/tools/procexp.exe) and difference highlighting (Options > Difference Highlighting Duration > 9) and then scroll to new processes (View > Scroll to new processes). An entire row green/red shows a process created or destroyed, respectively, in the last 9 seconds.

Once you identify the process, if it is a browser or any app with plugins, you will have to debug which plugin or website javascript could possibly be causing the issue by starting the browser in safe mode and enabling plugin by plugin.

Solution 2:

Because IPv6 address identifiers remain static, for security reasons, temporary addresses are used. Temporary addresses are IPv6 interface identifiers that provide a level of anonymity. These addresses can be randomly generated and changed over time. The IPv6 protocol for Windows creates temporary addresses for global address prefixes by default.

I do not recommend disabling temporary IPv6 addresses. However you can disable temporary IPv6 addresses with the following commands and a reboot

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled

In Windows 10 and Server 2016 you can use PowerShell Set-NetIPv6Protocol cmdlet to set limits:

# The computer always generates temporary addresses by using random numbers. 
Set-NetIPv6Protocol -UseTemporaryAddresses Always

# The computer generates temporary addresses by using the interface identifier. 
# You typically use this identifier for test purposes. 
Set-NetIPv6Protocol -UseTemporaryAddresses Counter

# The computer does not use temporary addresses. 
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# The computer uses temporary addresses.
Set-NetIPv6Protocol -UseTemporaryAddresses Enabled

To find what process is using the temporary address check the item with local address column matching your temporary address in netstat output:

netstat -p tcpv6 -o -f -b

If that fails to find anything you need to use a tracing tool, such as Sysmon

To perform this with SysMon create an XML file IPv6.xml with following text:

<Sysmon schemaversion="3.2">
<EventFiltering>
    <NetworkConnect onmatch="include">
        <SourceIsIpv6>true</SourceIsIpv6>
    </NetworkConnect>
</EventFiltering>
</Sysmon>

Then download SysMon and install configuration file:

SysMon -i IPv6.xml

This will log IPv6 connections in Windows Event log under Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

When monitoring is complete stop monitoring:

SysMon -u

If you filter by "Event ID 3" you will get the network events, with details such as below:

Log Name:      Microsoft-Windows-Sysmon/Operational
Source:        Microsoft-Windows-Sysmon
Date:          9/01/2018 9:55:08 PM
Event ID:      3
Task Category: Network connection detected (rule: NetworkConnect)
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      DESKTOP-RTTN04O
Description:
Network connection detected:
UtcTime: 2018-01-09 10:55:06.915
ProcessGuid: {14ab83bf-c0d9-5a52-0000-00102da40e00}
ProcessId: 3628
Image: C:\Windows\System32\svchost.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: true
SourceIsIpv6: true
SourceIp: 2001:8003:550d:d400:b81c:a2ed:f99a:b31f
SourceHostname: DESKTOP-RTTN04O.gateway
SourcePort: 55723
SourcePortName: 
DestinationIsIpv6: true
DestinationIp: 2001:8006:3510:393:0:0:0:25bb
DestinationHostname: 
DestinationPort: 443
DestinationPortName: https