Windows 10 Temporary IPv6 Address Creation and logging

[Brent-Steel]

I have seen wide differences in the way some hosts create their temporary IPv6 addresses. Some only have a few, while some have hundreds. This leads me to trying to find the answers to several questions, which so far have eluded me. I am aware that this feature can be disabled, and that is the only responses I seem to be able to find, but I want to understand the process behind their creation.

1. Specifically what triggers the creation of a new Temporary address.
   1. Is this something that is controlled at the OS level, or do applications have a say on when a new address is created.
   2. Why do some hosts create a new one every few seconds, and have hundreds active, while some have only one or two.
2. What triggers the deletion of an old address, with the same sub questions as (1)?
3. How do I log the fact that a new address has been created, for later auditing, and what triggered it? If I have hundreds of hosts, on my network, I need to be able to retrospectively ascertain who was the source of malicious traffic.
4. How can I identify which process(es) is responsible for creating the hundreds of addresses?
5. How do the parameters below affect address generation and deletion
   1. C:\WINDOWS\system32>netsh interface ipv6 show privacy
      Querying active state...
      
      Temporary Address Parameters
      ---------------------------------------------
      Use Temporary Addresses : enabled
      Duplicate Address Detection Attempts: 3
      Maximum Valid Lifetime : 7d
      Maximum Preferred Lifetime : 1d
      Regenerate Time : 5s
      Maximum Random Time : 10m
      Random Time : 1m57s
6. If I enter the command netsh interface ipv6 show addresses I get a long list of addresses with the same valid life and pref life. Why?

A lot of questions, Sorry about that, but I am hoping if anyone can answer them, it can help many people understand this strange behaviour, that seems to plague many people.


Kind Regards

Continue reading...