From nobody Tue Jan 27 20:01:53 2026 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f0xBX2n0dz6QLjJ for ; Tue, 27 Jan 2026 20:01:56 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f0xBX29Jlz3Tp5; Tue, 27 Jan 2026 20:01:56 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769544116; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=voY6JN1SBJvZO6Of9gh5lSeWP2gOWRmaUAD3Iq29nqM=; b=J4twhWMYu0nNYlZDi8396NbyXctE0qR+q0LogA07SV7zrBS0bLUOMeu5fMglxe8/aNvrKl 0vwwceInAp6DsKtDgdcGgWFCeo9EpGWbkBlqznsU46St3TTUCNd8ywxXQOU6iYs0W27JXI HQ3Dxzo6I8b+cGRs5DI0J9crz0FjADoV4E/srETf2oG9cBTuZCZbDy4yiWrsgjKHewn9y+ xqmrEtEn2LgNqEcEsQT03YnzfOTGgM+PduLTX477XPgLsrOc3ow6Hk7xSQZw89P0skfXFp dkPYp2ES51HvGKyFTHbTwCJ/62hYRLLruh07eHufkDeCn/J8PqM0JyRWILjLiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1769544116; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=voY6JN1SBJvZO6Of9gh5lSeWP2gOWRmaUAD3Iq29nqM=; b=xELhhyR/9bRJxoDMAoqUq6Xh9zmEOc0JQAA24ZVPg3IkpuMQkG6vBtt08t0W/Q5hNwJ9N2 1ZpG1fOLcTOHcXs6K8hQCA8p22YBEfrUgiC+iAwV4deZ2RPNLo378IOVMnoWHYI/iH+I9M K+LcXVstt0l+wbGKxxDzPrZIi7o53LmXEWi7QXtaCZHuqC4vd7ZKrHjyr21raalqhln45A oYl2pV0OCMJZgy6RoQMpsrfzAIDL+73cyJcqCKufogd5BD2yfE0V1EvVx8zrHGMoGXYuCl iYJe1lY9BcQGNBp3lFxkROgrItPD+DTKFA5uJvZGSnZAuiUC+IcE2FH4mkw2Lg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1769544116; a=rsa-sha256; cv=none; b=lx2bJOi8H/le1nHEp9wa/dTnLXF8n6V1YAGHk+PIxfn9Pl7hfVkA+ANiprQD8ht7wun01W vWMX1C5z7VQTobsl9r8OLoEigu5hPF+5TxmYCYF/nZe4zMu+76B+E6QXTuMt8v+iSMwLHm ir9ou0W1jlih5VeJv3gtE9A5AxEDE5thH+eCbQCOuIgJ+5qUdybbG/nTxQ81BQOzh5pAoO 41LiN8tx9Xsux6YOim80r0EzaSQ1FlpzjqMvZ72WE+TnHTtcy02vvvZ11kvcN46faSuHv3 EtnaRwwQqRaolghlZyAhAY6YabRJiEVbAdvm8ZoihVMVZcCt5z4hAt44hwjtow== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from [IPV6:2a01:e11:2002:4280:ab9b:8bf1:ec36:413a] (unknown [IPv6:2a01:e11:2002:4280:ab9b:8bf1:ec36:413a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: madpilot/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4f0xBW6LknzK2R; Tue, 27 Jan 2026 20:01:55 +0000 (UTC) (envelope-from madpilot@FreeBSD.org) Message-ID: Date: Tue, 27 Jan 2026 21:01:53 +0100 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Guido Falsi Subject: Re: we should enable RFC7217 by default To: Shawn Webb Cc: freebsd-current@freebsd.org References: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org> <0f5fcd3d-b189-49f5-ac81-d4fb48d90a77@FreeBSD.org> Content-Language: en-US Autocrypt: addr=madpilot@FreeBSD.org; keydata= xsBNBE+G+l0BCADi/WBQ0aRJfnE7LBPsM0G3m/m3Yx7OPu4iYFvS84xawmRHtCNjWIntsxuX fptkmEo3Rsw816WUrek8dxoUAYdHd+EcpBcnnDzfDH5LW/TZ4gbrFezrHPdRp7wdxi23GN80 qPwHEwXuF0X4Wy5V0OO8B6VT/nA0ADYnBDhXS52HGIJ/GCUjgqJn+phDTdCFLvrSFdmgx4Wl c0W5Z1p5cmDF9l8L/hc959AeyNf7I9dXnjekGM9gVv7UDUYzCifR3U8T0fnfdMmS8NeI9NC+ wuREpRO4lKOkTnj9TtQJRiptlhcHQiAlG1cFqs7EQo57Tqq6cxD1FycZJLuC32bGbgalABEB AAHNIkd1aWRvIEZhbHNpIDxtYWRwaWxvdEBGcmVlQlNELm9yZz7CwHgEEwECACIFAk+G+3MC GwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBrmhg5Wy9KT2uIIAIrawQ89TnqEhi2C OEQAhx3uqWZuNoS6NyiSgsRCmtSnT2GOgH4Ucbr/I37SkV1B3K6HkoL6lwN8Gjf5KOgLqmTi E1W3RTwS7l8PSvdnjM9i7g351R4mTijtxawB/JcQf/Kge3Yqr1V4g6H+wQXHUStmHThbupuN trzRphvR/e5ekT0FTyVfPmpcbm68i2bwZnKUex/TNIECBykYh8b+SYMLhENf2ayRjCIWS2Ad 7tnTKhMtnS5jtW6qjBy4RoTpQD6oR1xIgkTRlQ49roVCUfdHb+Y/kh+U9G1IcoNy4vkg9IfP dwpSfnP+a8j0AZ1hMnOLZ1fYoQrs+4gVLy8Fs7TOwU0EUxB7QQEQAKFhrDceoPdK/IHDSmoj 6SQYisvM7VdhcleS7E9DoEAVt7yMbf6HbbMVTTY6ckvwTWQssywLBXNVqxgc4WLJjzfUhgef +WE75M3+WFYlOVQLGZY/zEVgma1raYnOHNAOzeHLDmEXjbZP6vGAeDyBbGfQPpE7qGYZ7ube T3XwQO+PklcCrvOPj2ZPcAxGNS2xVU/LzONqCrJqLMJSIcCdsbiSP4G5PnDFHtMokaTY6OEr 8OEQfOAerhcHUa/z7Uu8YtmaqKH+QGkE/WEgaRqSiTnv0JOTD+DxehaqvoKPPZ++2NpCZMHB 2i6A/xifmQwEiIjEXtcueBRzkNUQkxhqZyS13SrhocL9ydtaVPBzZatAEjUDDEJmAMLVFs45 qfyhMiNapHJo2n3MW/E5omqCvEkDdWX/en3P7CK2TemeaDghMsgkNKax/z0wNo5UZCkOPOz0 xpNiUilOVbkuezZZNg65741qee2lfXhQIaZ66yT7hphc/N/z3PIAtLeze4u1VR2EXAuZ2sWA dlKCNTlJMsaU/x70BV11Wd/ypnVzM68dfdQIIAj1iMFAD/lXGlEUmKXg5Ov2VQDlTntQoanC YrAg+8CttPzjrydgLZFq3hrtQmfc0se5yv1WHS69+BsUOG09RvvawUDZxUjW19kyeN9THaNR gow3kSuArUp6zSmJABEBAAHCwF8EGAEIAAkFAlMQe0ECGwwACgkQGuaGDlbL0pMN5wgA4bCk X/qwEVC06ToeR6C2putmSWQMgpDaqrv65Hubo+QGmg2P4ewTYQQ4g6oYWS03qHxqVVWhKz7F jfrV+dH8qbCLfSgIcvdBha7ayGZVrsiuMLKGbw36fcmkZPpSDOfHcP0XH8Z+u9CWj0xUkTxA lZ/7i6gYSUpG2JWNtdmE/X8VVEyXusCLwy0K0BI60A/4dRTIX3C4QKrJ3ZbUXegz70ynjHf+ lQMZ9IZKASoRMuS5FozPQh6abvmwZEPdf5I9riUElzvHrqJ8Bx0t3Pujdoth+yNHpnBxrtO8 LkQdrQ58P0SwcaIX33T2U9pG8bhu5YVR88FQ8OQ0cEsPBpDncg== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 1/27/26 20:17, Shawn Webb wrote: > On Tue, Jan 27, 2026 at 07:27:28PM +0100, Guido Falsi wrote: >> On 1/27/26 19:17, Shawn Webb wrote: >>> On Tue, Jan 27, 2026 at 03:35:16AM +0330, Pouria Mousavizadeh Tehrani wrote: >>>> Hi everyone, >>>> >>>> With `net.inet6.ip6.use_stableaddr` now available, I believe we should >>>> enable it by default in CURRENT at least. >>>> As you may already know, we currently use the EUI64 method for generating >>>> stable IPv6 addresses, which has serious privacy issues. >>>> >>>> IMHO, trying to maintain backward compatibility defeats the purpose of a >>>> privacy RFC. >>>> >>>> To be clear, we don't want to change the ip addresses of existing servers. >>>> However, it's reasonable for users to expect changes during a major upgrade >>>> (15 -> 16), a fresh install of a new major release, or living on CURRENT. >>>> So, for obvious reasons, changing the default value would not be MFCed. >>>> >>>> What do you think? >>> >>> I think this would be a good step for FreeBSD. In HardenedBSD, we set >>> net.inet6.ip6.{prefer,use}_tempaddr to 1, which creates completely >>> random IPv6 addresses (scoped to the prefix, of course). >>> >>> The one thing I would hope is that support for completely random IPv6 >>> addresses via SLAAC does not go the way of the dodo. >>> >>> (If net.inet6.ip6.use_stableaddr becomes the default, we will likely >>> keep it at 0 in favor of the other aforementioned sysctl nodes.) >> >> Those are two orthogonal things. >> >> stableaddress enabled replaces the current algorithm for deriving the main >> interface address, that stays attached to the interface indefinitely. >> >> tempaddr creates additional addresses for the interface that are used (and >> preferred if the prefer flag is enabled) for outgoing connections, and are >> generated again periodically, with old ones remaining attached to the >> interface, since old connections could still use them, till reboot. >> >> The two can live together, there is no reason to disable one of them. >> >> >> BTW while developing my patch, in one of the first iterations, I did break >> the tempaddr mechanism, so I can assure you I took special care for them to >> not interfere with each other. > > Seems I was indeed a bit confused. Thank you for the explanation. > > So looking at one of my current SLAAC systems, I see: > > ==== BEGIN LOG ==== > bridge0: flags=1008843 metric 0 mtu 1500 > options=10 > ether 58:9c:fc:10:d7:7e > inet 192.168.1.251 netmask 0xfffff000 broadcast 192.168.15.255 > inet6 fe80::5a9c:fcff:fe10:d77e%bridge0 prefixlen 64 scopeid 0x3 > inet6 2001:470:4001:1:5a9c:fcff:fe10:d77e prefixlen 64 autoconf pltime 14400 vltime 86400 > inet6 2001:470:4001:1:c001:f868:c587:cdd7 prefixlen 64 deprecated autoconf temporary pltime 0 vltime 44033 > inet6 2001:470:4001:1:c139:85be:79b3:e3ec prefixlen 64 autoconf temporary pltime 12610 vltime 86400 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > bridge flags=0<> > ==== END LOG ==== > > From what I understand now, the only thing that would change is the > 2001:470:4001:1:5a9c:fcff:fe10:d77e address. Instead of incorporating > the MAC address in that IP address, it would be the stableaddr > address. > > Amy I understanding that correctly? You are correct. AFAIK the relevant RFCs implemented here were studied to be compatible with one another. To give some details: The net.inet6.ip6.use_stableaddr sysctl changes the algorithm that incorporates the MAC address in the IPv6 address with one deriving the IPv6 address with an hash (sha256 HMAC) of the concatenation of various sources, as described in RFC 7217, specifically: - the network prefix - MAC address, interface name or interface id (configurable via net.inet6.ip6.stableaddr_netifsource, default uses MAC address) - hostid (this is a UUID, constant on the machine) - a counter, usually 0, incremented if there are DAD conflicts (another host with same address is detected on the network, counter incremented and a new address is checked, by default for 3 times, configurable via net.inet6.ip6.use_stableaddr) - we use an additional counter to cater for the very rare case the algorithm should generate an invalid address, in such a case the counter is incremented and another address generated and verified. -- Guido Falsi