From dca8639281ce672a19e223f3e41bd40af1ca1e98 Mon Sep 17 00:00:00 2001 From: pbldp <> Date: Thu, 15 May 2014 06:07:45 +0000 Subject: [PATCH] add privacy extension hints --- .../Peter-Bieringer/Linux+IPv6-HOWTO.html | 1077 +++++++++++------ .../Peter-Bieringer/Linux+IPv6-HOWTO.lyx | 268 +++- .../Peter-Bieringer/Linux+IPv6-HOWTO.pdf | Bin 593638 -> 598459 bytes .../Peter-Bieringer/Linux+IPv6-HOWTO.sgml | 58 +- 4 files changed, 1014 insertions(+), 389 deletions(-) diff --git a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html index 89f2635d..f1f07c85 100644 --- a/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html +++ b/LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.html @@ -62,7 +62,7 @@ ALIGN="LEFT" >Revision 0.66wip
In case, a Router Advertisement is received by a client, in case IPv6 autoconfiguration is enabled, the client configures itself an IPv6 address according to the prefix contained in the advertisement (see also Section 22.4).
Privacy Extension as described in RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (obsoleted RFC 3041) is replacing the static interface ID (mostly based on word-wide unique MAC address) used during autoconfiguration by a pseudo-random one and generating from time to time a new one deprecating the old one.
Enable privacy extension for e.g. interface “eth0” and prefer the generated address:
# sysctl -w net.ipv6.conf.eth0.use_tempaddr=2 |
Afterwards, restart of the interface is necessary
# ip link set dev eth0 down +# ip link set dev eth0 up |
Once a router advertisement is received, the result should look like following
# ip -6 addr show dev eth0 +2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 + inet6 2001:db8:0:1:8992:3c03:d6e2:ed72/64 scope global secondary dynamic <- pseudo-random IID + valid_lft 604711sec preferred_lft 86311sec + inet6 2001:db8:0:1::224:21ff:fe01:2345/64 scope global <- IID based on MAC + valid_lft 604711sec preferred_lft 86311sec + ... |
For permanent activation, either a special initscript value per interface will enable privacy or an entry in the /etc/sysctl.conf file like
net.ipv6.conf.eth0.use_tempaddr=2 |
Note: interface must already exists with proper name when sysctl.conf is applied. If this is not the case (udev or delayed initialization) one has to configure privacy for all interfaces by default:
net.ipv6.conf.all.use_tempaddr=2 +net.ipv6.conf.default.use_tempaddr=2 |
Values can be activated during runtime, but at least an interface down/up or a reboot is recommended.
# sysctl -p |
Modern (client) systems are using NetworkManager (here: version 0.9.9.1-5.git20140319.fc21) for configuring interfaces. A command line tool is built-in which can be used to change settings which are not available via GUI.
Check existing interfaces with:
# nmcli connection +NAME UUID TYPE DEVICE +ens4v1 d0fc2b2e-5fa0-4675-96b5-b723ca5c46db 802-3-ethernet ens4v1 |
Current amount of IPv6 privacy extension addresses can be checked with
# ip -o addr show dev ens4v1 | grep temporary | wc -l +0 |
Current IPv6 privacy extension settings can be checked with
# nmcli connection show ens4v1 |grep ip6-privacy +ipv6.ip6-privacy: -1 (unknown) |
Enable IPv6 privacy extension and restart interface
# nmcli connection modify ens4v1 ipv6.ip6-privacy 2 +# nmcli connection down ens4v1; nmcli connection up ens4v1 |
New IPv6 privacy extension settings can be checked with
# nmcli connection show ens4v1 |grep ip6-privacy +ipv6.ip6-privacy: 2 (active, prefer temporary IP) |
Now IPv6 privacy extension addresses are configured on the interface
# ip -o addr show dev ens4v1 | grep temporary | wc -l +2 |
Whether the IPv6 address with an Interface ID generated by Privacy Extension is really used for outgoing connections, one can browse to http://ip.bieringer.de/, in case EUI64_SCOPE shows “iid-privacy”, then everything is working fine.