From owner-freebsd-net@FreeBSD.ORG Tue Jun 10 16:01:52 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DD55106567D for ; Tue, 10 Jun 2008 16:01:52 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 058668FC21 for ; Tue, 10 Jun 2008 16:01:51 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by ug-out-1314.google.com with SMTP id q2so113169uge.37 for ; Tue, 10 Jun 2008 09:01:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent:sender; bh=A3Yzrodolg2I5mwPaXj3c/gFZKBFRFvJ1QG50ldVbZc=; b=RpriBMWJ0cKZyfckGklud5su1Fe+JOBlOUTNuX+3IquUMMzNIzfbhXY15cQHS6Wakw Crx+ZwtA/6cWMGewNkIGfNYhYNfqZYItSsljlhaAHKNyMhzF12EQ11aWLBSaa12YWwj6 YgtHXKmbL/bDQEbrn8a0NcQhe2u4s9qmrb/Ig= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; b=kutW9TwEGa7qPTbMPLtYkbRKCfxnJ/5qPWzEataia/iQtsVXUL6RLbsXUsOjEsndb0 73Hf8j2+NxX9djC0SjdcmYqm/lFoHRTykcsaqH/sYTIWks8Hn0HWniOswRSmB3adcQsO hl7XkCU047e0zjI05KfDz1bgc+xH0qfJB2JVE= Received: by 10.67.15.2 with SMTP id s2mr490201ugi.87.1213113710518; Tue, 10 Jun 2008 09:01:50 -0700 (PDT) Received: from epsilon.local ( [89.214.193.209]) by mx.google.com with ESMTPS id 5sm419883ugc.87.2008.06.10.09.01.46 (version=SSLv3 cipher=RC4-MD5); Tue, 10 Jun 2008 09:01:49 -0700 (PDT) Date: Tue, 10 Jun 2008 17:01:40 +0100 From: Rui Paulo To: Doug Barton Message-ID: <20080610160140.GB33773@epsilon.local> References: <484E0C08.1060800@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <484E0C08.1060800@FreeBSD.org> User-Agent: Mutt/1.5.17 (2007-11-01) Sender: Rui Paulo Cc: freebsd-net@freebsd.org, so@freebsd.org Subject: Re: Proposal: Enable IPv6 Privacy Extensions (RFCs 3041/4941) by default X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jun 2008 16:01:52 -0000 On Mon, Jun 09, 2008 at 10:07:20PM -0700, Doug Barton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > By default, IPv6 stateless autoconfiguration creates a 64 bit hostid > for each interface based on the mac address (for ethernet, but for us > that's the common case). This is convenient since if you're using RA > neither the user nor the admin has to do anything to get the node on > line, it "just works." There is a privacy issue with this however, > because this identifier is created in such a way as to make it > globally unique, the machine (and therefore in almost all cases the > user) can be tracked by third parties such as web sites, even if they > move from one network prefix to another, such as with a laptop. > > To address those privacy concerns RFC 3041 was written, and eventually > obsoleted by RFC 4941. ftp://ftp.rfc-editor.org/in-notes/rfc4941.txt > Our IPv6 implementation comes with the code to enable this feature, > but by default it is turned off. My proposal is to enable it by > default, and give the user a knob in rc.conf to turn it off. I'm > interested in any arguments y'all might have for or against. To test > this is pretty simple, add the following to /etc/sysctl.conf: > net.inet6.ip6.use_tempaddr=1 > net.inet6.ip6.prefer_tempaddr=1 > > The "normal" EUI-64-based address will still be configured, but there > will also be a random identifier added to the interface as an alias, > and outgoing traffic will go out from that address. > > In way of comparison, windows starting with XP enables this feature by > default for clients, and has a knob to enable it for servers. I'd be > interested to hear what other systems do. > > > Thoughts? +1. I'm okay with it. Regards, -- Rui Paulo