disable IPv6 autoconf (MAC-based) IPv6 address without disabling privacy addresses?

4

5

Is it possible to configure the Linux kernel to automatically get the RFC4941 temporary (privacy) IPv6 addresses without getting the RFC4862 public (MAC-based) IPv6 address?

With the following sysctl settings on my Ubuntu 13.04 Linux system, I get the temporary IPv6 addresses, but I also get the public MAC-based IPv6 address:

net.ipv6.conf.eth0.autoconf=1
net.ipv6.conf.eth0.use_tempaddr=2

I don't want the MAC-based IPv6 address. I just want the temporary privacy addresses. I realize that use_tempaddr=2 says to prefer the temporary address, but applications can still bind() to the MAC-based address or use the IPV6_PREFER_SRC_PUBLIC sockopt (see RFC5014) to override this preference. I predict applications like Adobe Flash will allow web sites to have their flash applications phone home using the MAC-based IP, making it that much harder for people to avoid being tracked by marketers (or governments) wherever they go.

With the following sysctl settings:

net.ipv6.conf.eth0.autoconf=0
net.ipv6.conf.eth0.use_tempaddr=2

I get no automatically configured IPv6 addresses. None.

How do I get temporary IPv6 addresses without getting the MAC-based IPv6 address?

Richard Hansen

Posted 2013-09-14T06:32:38.333

Reputation: 461

Richard, just curious: did you ever find a satisfying solution? (Michael's answer may be correct, but I really don't know.) – Arjan – 2013-10-28T12:36:11.127

Answers

1

Sorry, no. If you want temporary addresses, you must be using either stateless address autoconfiguration (as you already know) or DHCPv6, which can be configured to request temporary addresses from the DHCPv6 server. In your case, DHCPv6 is probably the way you will want to go, and it is what most major ISPs are deploying.

Michael Hampton

Posted 2013-09-14T06:32:38.333

Reputation: 11 744

I'm hoping someone will jump in and prove you wrong, but I think you're right. :( – Richard Hansen – 2013-10-28T20:38:46.620

0

With recent kernels (or recent NetworkManager versions), you can enable RFC 7217 address generation mode, which provides stable addresses based on a secret seed.

For autoconfiguration by NetworkManager ≥ v1.2

NetworkManager 1.2 handles autoconf and assigns addresses on its own.

$ nmcli con modify "Ethernet" ipv6.addr-gen-mode stable-privacy

This can be set for all new connections via NetworkManager.conf.

For autoconfiguration by the kernel

Older NM versions and non-NM systems rely on the kernel to assign addresses. The new addrgenmode can be activated via sysctl:

net.ipv6.conf.default.stable_secret = 1d8b:4da9:888k:5a65:7aaa:7o2d:ce60:ec4e

Of course, you'll need to generate your own key instead:

$ head -c 16 /dev/urandom | xxd -p | sed "s/..../:&/g; s/://"

Use ip -d link to make sure "addrgenmode stable_secret" is shown.

user1686

Posted 2013-09-14T06:32:38.333

Reputation: 283 655

under busybox pipe urandom into xxd -p -c 16 (or install vim for it's xxd) – Stuart Cardall – 2018-08-07T13:54:08.140

Asked: 2013-09-14T06:32:38.333

Viewed: 2 473 times

Active: 2016-05-05T08:05:40.907