Hi all,
On an up-to-date F17 x86_64 box I was testing IPv6 and it was pointed out that the IPv6 address that Fedora uses is traceable because it ends in the MAC address of the nic. I don't like that and want to enable privacy extensions which should replace the MAC address with some random stuff in the IPv6 address.
I added the following to /etc/sysctl.d/ipv6_privacy_extensions and rebooted:
net.ipv6.conf.default.use_tempaddr = 1 net.ipv6.conf.default.temp_prefered_lft = 7200
Unfortunately this does not work as I don't see an IPv6 address with "scope global dynamic" and if I go to http://ip6.nl then it still shows my IPv6 address with the MAC address in it.
Anyone know how to make this work?
Thanks, Patrick
On 1/4/2013 1:30, Patrick Lists wrote:
Hi all,
On an up-to-date F17 x86_64 box I was testing IPv6 and it was pointed out that the IPv6 address that Fedora uses is traceable because it ends in the MAC address of the nic. I don't like that and want to enable privacy extensions which should replace the MAC address with some random stuff in the IPv6 address.
I added the following to /etc/sysctl.d/ipv6_privacy_extensions and rebooted:
net.ipv6.conf.default.use_tempaddr = 1 net.ipv6.conf.default.temp_prefered_lft = 7200
Unfortunately this does not work as I don't see an IPv6 address with "scope global dynamic" and if I go to http://ip6.nl then it still shows my IPv6 address with the MAC address in it.
Anyone know how to make this work?
Thanks, Patrick
According to my Googling, net.ipv6.conf.default.use_tempaddr should have a value of 2, not 1.
According to the Arch wiki [0] also:
# Enable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.<nic0>.use_tempaddr = 2 ... net.ipv6.conf.<nicN>.use_tempaddr = 2
[0] - https://wiki.archlinux.org/index.php/IPv6
On 01/04/2013 07:34 AM, staticsafe wrote:
On 1/4/2013 1:30, Patrick Lists wrote:
Hi all,
On an up-to-date F17 x86_64 box I was testing IPv6 and it was pointed out that the IPv6 address that Fedora uses is traceable because it ends in the MAC address of the nic. I don't like that and want to enable privacy extensions which should replace the MAC address with some random stuff in the IPv6 address.
I added the following to /etc/sysctl.d/ipv6_privacy_extensions and rebooted:
net.ipv6.conf.default.use_tempaddr = 1 net.ipv6.conf.default.temp_prefered_lft = 7200
Unfortunately this does not work as I don't see an IPv6 address with "scope global dynamic" and if I go to http://ip6.nl then it still shows my IPv6 address with the MAC address in it.
Anyone know how to make this work?
Thanks, Patrick
According to my Googling, net.ipv6.conf.default.use_tempaddr should have a value of 2, not 1.
According to the Arch wiki [0] also:
# Enable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.<nic0>.use_tempaddr = 2 ... net.ipv6.conf.<nicN>.use_tempaddr = 2
Thank you for your suggestion. I fixed the value of those settings and rebooted but still no joy. I am not using NetworkManager. Using network instead with a bridged br0 interface because I have several VMs on this box. Maybe that is messing things up or maybe the AVM Fritz!Box ADSL modem handing out the IPv6 addresses is to blame for not handling this properly.
Regards, Patrick
On 01/04/2013 08:59 AM, Michael Cronenworth wrote:
On 01/04/2013 12:30 AM, Patrick Lists wrote:
Anyone know how to make this work?
Thanks to the hard work of the NetworkManager developers, this is already enabled by default if you use NetworkManager. If not... you'll have to resort to sysctl tweaks.
Thanks but I am using network, not NetworkManager because I need a bro interface to access VMs on this box. Adding the values suggested by staticsafe in another post did not work either.
Regards, Patrick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, 4 Jan 2013, Patrick Lists wrote:
On an up-to-date F17 x86_64 box I was testing IPv6 and it was pointed out that the IPv6 address that Fedora uses is traceable because it ends in the MAC address of the nic. I don't like that and want to enable privacy extensions which should replace the MAC address with some random stuff in the IPv6 address.
I added the following to /etc/sysctl.d/ipv6_privacy_extensions and rebooted:
net.ipv6.conf.default.use_tempaddr = 1 net.ipv6.conf.default.temp_prefered_lft = 7200
Unfortunately this does not work as I don't see an IPv6 address with "scope global dynamic" and if I go to http://ip6.nl then it still shows my IPv6 address with the MAC address in it.
Anyone know how to make this work?
Add:
IPV6_PRIVACY=rfc3041
to /etc/sysconfig/network-scripts/ifcfg-nicN
Restart the network service (I never tested this with NetworkManager).
Gabriel
- --
// Gabriel VLASIU // // OpenGPG-KeyID : 44952F15 // OpenGPG-Fingerprint: 4AC5 7C26 2FE9 02DA 4906 24B2 D32B 7ED7 4495 2F15 // OpenGPG-URL : http://www.vlasiu.net/public.key
On 01/04/2013 11:27 AM, Gabriel VLASIU wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, 4 Jan 2013, Patrick Lists wrote:
On an up-to-date F17 x86_64 box I was testing IPv6 and it was pointed out that the IPv6 address that Fedora uses is traceable because it ends in the MAC address of the nic. I don't like that and want to enable privacy extensions which should replace the MAC address with some random stuff in the IPv6 address.
I added the following to /etc/sysctl.d/ipv6_privacy_extensions and rebooted:
net.ipv6.conf.default.use_tempaddr = 1 net.ipv6.conf.default.temp_prefered_lft = 7200
Unfortunately this does not work as I don't see an IPv6 address with "scope global dynamic" and if I go to http://ip6.nl then it still shows my IPv6 address with the MAC address in it.
Anyone know how to make this work?
Add:
IPV6_PRIVACY=rfc3041
to /etc/sysconfig/network-scripts/ifcfg-nicN
Restart the network service (I never tested this with NetworkManager).
Thank you for your suggestion. I added it to both ifcfg-p21p1 and ifcfg-br0 and rebooted but still no joy. I'm using network (not NetworkManager) and a bridged interface br0 because of several VMs on this box. Maybe that is causing this not to work or my AVM Fritz!box ADSL modem which hands out the IPv6 addresses.
Regards, Patrick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, 4 Jan 2013, Patrick Lists wrote:
Add:
IPV6_PRIVACY=rfc3041
to /etc/sysconfig/network-scripts/ifcfg-nicN
Restart the network service (I never tested this with NetworkManager).
Thank you for your suggestion. I added it to both ifcfg-p21p1 and ifcfg-br0 and rebooted but still no joy. I'm using network (not NetworkManager) and a bridged interface br0 because of several VMs on this box. Maybe that is causing this not to work or my AVM Fritz!box ADSL modem which hands out the IPv6 addresses.
I also use network.
$ grep IPV6_PRIVACY=rfc3041 /etc/sysconfig/network-scripts/* /etc/sysconfig/network-scripts/ifcfg-eth0:IPV6_PRIVACY=rfc3041 /etc/sysconfig/network-scripts/ifcfg-wlan0:IPV6_PRIVACY=rfc3041
$ ip -6 a s eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 inet6 fc00::100/64 scope global valid_lft forever preferred_lft forever inet6 2a02:2f07:c060:113:9dc0:4eaa:XXXX:XXXX/64 scope global temporary dynamic valid_lft 86369sec preferred_lft 14369sec inet6 2a02:2f07:c060:113:21b:38ff:YYYY:YYYY/64 scope global dynamic valid_lft 86369sec preferred_lft 14369sec inet6 fc00::9dc0:4eaa:XXXX:XXXX/64 scope global temporary dynamic valid_lft 86369sec preferred_lft 14369sec inet6 fc00::21b:38ff:YYYY:YYYY/64 scope global dynamic valid_lft 86369sec preferred_lft 14369sec inet6 fe80::21b:38ff:YYYY:YYYY/64 scope link valid_lft forever preferred_lft forever
Try adding (keep IPV6_PRIVACY=rfc3041)
net.ipv6.conf.default.use_tempaddr=2 net.ipv6.conf.all.use_tempaddr=2
in /etc/sysctl.d/ipv6_privacy_extensions and reboot.
No need for net.ipv6.conf.<nicN>.use_tempaddr=2 since /etc/sysconfig/network-scripts/ifup-ipv6 do this for you:
if [ "$IPV6_PRIVACY" = "rfc3041" ]; then /sbin/sysctl -e -w net.ipv6.conf.$SYSCTLDEVICE.use_tempaddr=2 >/dev/null 2>&1 if [ $? -ne 0 ]; then net_log $"Cannot enable IPv6 privacy method '$IPV6_PRIVACY', not supported by kernel" fi fi
Gabriel
- --
// Gabriel VLASIU // // OpenGPG-KeyID : 44952F15 // OpenGPG-Fingerprint: 4AC5 7C26 2FE9 02DA 4906 24B2 D32B 7ED7 4495 2F15 // OpenGPG-URL : http://www.vlasiu.net/public.key
On 01/04/2013 03:26 PM, Gabriel VLASIU wrote: [snip]
I also use network.
$ grep IPV6_PRIVACY=rfc3041 /etc/sysconfig/network-scripts/* /etc/sysconfig/network-scripts/ifcfg-eth0:IPV6_PRIVACY=rfc3041 /etc/sysconfig/network-scripts/ifcfg-wlan0:IPV6_PRIVACY=rfc3041
$ ip -6 a s eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000 inet6 fc00::100/64 scope global valid_lft forever preferred_lft forever inet6 2a02:2f07:c060:113:9dc0:4eaa:XXXX:XXXX/64 scope global temporary dynamic valid_lft 86369sec preferred_lft 14369sec inet6 2a02:2f07:c060:113:21b:38ff:YYYY:YYYY/64 scope global dynamic valid_lft 86369sec preferred_lft 14369sec inet6 fc00::9dc0:4eaa:XXXX:XXXX/64 scope global temporary dynamic valid_lft 86369sec preferred_lft 14369sec inet6 fc00::21b:38ff:YYYY:YYYY/64 scope global dynamic valid_lft 86369sec preferred_lft 14369sec inet6 fe80::21b:38ff:YYYY:YYYY/64 scope link valid_lft forever preferred_lft forever
Try adding (keep IPV6_PRIVACY=rfc3041)
net.ipv6.conf.default.use_tempaddr=2 net.ipv6.conf.all.use_tempaddr=2
in /etc/sysctl.d/ipv6_privacy_extensions and reboot.
[snip]
Thanks you for your elaborate feedback Gabriel. It works now.
Thanks again, Patrick
-
Gabriel VLASIU -
Michael Cronenworth -
Patrick Lists -
staticsafe