Attempting to use IPv6 with managed addresses internally; need help

[pasha-19]

I have successfully setup IPv6 DHCP server using both DNSmasq and Kea DHCPv6 (different interfaces/vlans not at the same time).  Both assign the desired managed address and two more preferred addresses.  However my windows PC in addition to my managed address shows addresses with my ULA prefix and I guess a MAC or DUID generated last 4 hextets for the address.  The Router addresses given are IPv6 Link Local addresses (fe80::/10).  I am attempting to write firewall rules and acl rules on a switch.  These non-managed addresses using my prefix and the link local addresses used after DHCP has assigned a managed address are preventing me from knowing about my device based on my established subnets based on managed DHCP and static address assignments.  I know a link-local address is part of the IPv6 DHCP process and that is not my problem.  I was hoping that after the DHCP assigned a managed IP address or manual static assigned IP addresses by me; the subsequent traffic can hopefully be forced to use the managed address and not link-local or the mac/duid generated value preceded by my chosen ULA address based prefix a /64.  Does anyone know how to encourage the use of my managed addresses over the other UNMANAGED addresses?  Is this possible, does anyone have any suggestions?

[meyergru]

a. If your concern is to tighten security, you can use the client MAC to enforce rules.

b. If you aim to cause clients to use only the DHCPv6-assigned address for outbound access, you want to disable the "autonomous address-configuration flag" from RFC4862.

With Kea and RADVD, you must use "Managed" mode for the interface if you want DHCPv6, see this table. "Assisted" mode would allow for DHCPv6, but still allows the client to use privacy extensions. As I do not use DNSmasq, I cannot tell how to do it when it sends RAs by itself, but I guess it is documented.

c. You can also configure individual clients to disable privacy extensions completely.

That being said, I never tried nor verified it, because I actually want clients to use privacy extensions. If I want to control or limit a client, I do that regardless of the used IPv6 via its MAC (method a.). The only thing I can imagine is if you want to look into logs and identify the actual client involved.