Windows 11 now implements RFC 7217 (stable privacy addresses)!

Douglas Fischer fischerdouglas at
Tue Dec 13 10:48:09 UTC 2022

Good news!
Good perspectives for the future...

But this thread remembered-me about RFC 3021 and Windows... Since December

Em ter., 13 de dez. de 2022 03:45, Fernando Gont <fgont at>

> Folks,
> After over 10 (yes, *ten*) years, we have finally addressed
> security/privacy issues in the generation of IPv6 stable addresses in
> most popular operating systems.
> The traditional scheme/algorithm to generate stable IPv6 addresses with
> SLAAC required that the underlying MAC address be employed to generate
> the Interface Identifier. That is, the underlying MAC address would be
> embedded in the lower bits of an IPv6 address.
> This scheme allowed for host-tracking (since MAC addresses are usually
> globally-unique), address scanning (since addresses will follow specific
> patterns) and a number of other issues.
> In 2011, I submitted an IETF Internet-Draft proposing a scheme for
> generating stable addresses with SLAAC, meant to replace the traditional
> scheme. The scheme could be summarised and simplified as: Interface_ID =
> Hash(Prefix, Secret). Thus, interface identifiers would be stable within
> the same subnet, but vary across subnets.
> [Replacing the traditional scheme with this new scheme was anything but
> easy -- if you're curious, please check the "IPv6 Addressing" section in
> <
> ]
> Over time, popular operating systems and packages adopted the proposed
> algorithm: the Linux kernel, NetworkManager, OpenBSD's slaacd, MacOS,
> etc. Eventually, virtually every popular OS had adopted the scheme....
> except Windows.
> Based on a recent note by Brian Carpenter, I ended up testing Windows
> 11, and I can confirm that it does implement RFC 7217 / RFC 8064!
> Therefore, e.g. if multiple prefixes are employed on a subnet, the
> stable addresses for each of such prefixes will employ a different
> Interface Identifier, thus avoiding the security/privacy issues
> discussed above -- this is really good news!
> Unfortunately, Windows still generates temporary addresses with the
> algorithm specified in RFC 4941, thus resulting in all temporary
> addresses for a given interface employing the same Interface Identifier
> (!). This problem has been addressed in RFC 8981... but it's
> implementation is not yet widespread, yet (it has been incoporated in
> e.g. the Linux kernel, though).
> I just hope it doesn't take Windows and others yet another 10+ years to
> implement RFC 8981, to finally address the remaining security/privacy
> issues in IPv6 address generation!
> [Original article with screenshots:
> ]
> Thanks!
> Regards,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at
> PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list