From nobody Mon Mar 31 20:05:29 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZRMZV3YGzz5sVBq
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Mon, 31 Mar 2025 20:05:54 +0000 (UTC)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZRMZS493yz3syD
	for <freebsd-net@freebsd.org>; Mon, 31 Mar 2025 20:05:52 +0000 (UTC)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=JVHH8qK2;
	dmarc=pass (policy=quarantine) header.from=plan-b.pwste.edu.pl;
	spf=pass (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl designates 2001:678:618::40 as permitted sender) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
	(authenticated bits=0)
	by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 52VK5TgV042058
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO);
	Mon, 31 Mar 2025 22:05:30 +0200 (CEST)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
	s=plan-b-mailer; t=1743451530;
	bh=GuiogaB8oWa5JxliCEGhTn0ft7DMz4k3GCcmCAtNG3A=;
	h=Date:Subject:To:References:From:In-Reply-To;
	b=JVHH8qK2Wvlr0GznM0zITaIFW5XwcNhvEMmZ45crE5gwugt84aQH9K6KMihoI4MiA
	 8jHiBg/IvgO4W2ssuBBFdbPMMlUi0DYHxGDWfT0pFnHMkXZYRjiwrOJs0ElEf+ce6T
	 qR9Qa37XrWt/vPYR/ERFF48uo8nkIiYSBxlhBPdPT7QGWVC6MlRd76OpJhFFdz+gm6
	 WIhlIUU1Z0tlRMubZEUluX/edaY54kw0E4SvqxFeyikS6rzxxaVdjXnelJeNyo7G6m
	 439WGxMn9eKDDLxPKZ2f1i4PiGJJ5DhLBHuhYY+PX3zowIFtB9nW8DgSrzSjSMn+o3
	 wDZsPYB5uDWtQ==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <b251f1ee-a77f-41ea-8309-cb5780404e8f@plan-b.pwste.edu.pl>
Date: Mon, 31 Mar 2025 22:05:29 +0200
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: RFC4941 IPv6 privacy knobs and how to set them
To: Chris Ross <cross+freebsd@distal.com>, freebsd-net@freebsd.org
References: <EB360A00-2CFB-439F-918E-1C7450BB9BB6@distal.com>
Content-Language: en-US
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
 xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
 IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
 Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
 v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
 OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
 AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
 dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
 vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
 HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
 sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
 8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
 iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
 4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
 hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
 a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
 g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
 mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
 BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
 v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
 wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
 u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
 1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
 sylq/j672BHXsdeqf/Ip9V4=
In-Reply-To: <EB360A00-2CFB-439F-918E-1C7450BB9BB6@distal.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spamd-Result: default: False [-6.41 / 15.00];
	DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim];
	NEURAL_HAM_LONG(-0.99)[-0.994];
	NEURAL_HAM_SHORT(-0.97)[-0.971];
	NEURAL_HAM_MEDIUM(-0.94)[-0.941];
	DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,quarantine];
	RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	RCVD_IN_DNSWL_MED(-0.20)[2001:678:618::40:from];
	R_SPF_ALLOW(-0.20)[+mx];
	R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer];
	ONCE_RECEIVED(0.20)[];
	MIME_GOOD(-0.10)[text/plain];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	RCVD_TLS_ALL(0.00)[];
	DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+];
	RCPT_COUNT_TWO(0.00)[2];
	ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL];
	TO_DN_SOME(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	FROM_HAS_DN(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	TAGGED_RCPT(0.00)[freebsd];
	MID_RHS_MATCH_FROM(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	HAS_XAW(0.00)[]
X-Rspamd-Queue-Id: 4ZRMZS493yz3syD
X-Spamd-Bar: ------

W dniu 31.03.2025 o 21:39, Chris Ross pisze:
> Hello all.  Looking at some changes I made to configure my new gw router
> last year but failed to document and check in, I find in my sysctl.conf:
>
> + # Use and prefer the RFC 4941 temporary addresses
> + net.inet6.ip6.use_tempaddr: 2
> + net.inet6.ip6.prefer_tempaddr: 2
>
> Looking across the interwebs, I see information about setting these to 1,
> and on using `ipv6_privacy` in /etc/rc.conf (which set them to 1), which
> I did not do.
>
> Is there documentation about what these variables mean, and if “2” is
> a useful value different than “1”?  If so, how are they different?
>
> Thanks.
>
>          - Chris

Hello Chris,

our ip6 network stack is old and likely still relying on the older RFC 
3041, even though RFC 4941 is mentioned in the man pages. However, both 
have been obsoleted by RFC 8981. If you're open to experimentation, you 
can apply the patch from PR 245103 to push things further.

I have always set these sysctl knobs to 1, but I only use privacy 
extensions on PCs and laptops - never on routers.

Cheers

-- 
Marek Zarychta