From nobody Wed Jan 28 11:38:02 2026 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f1KzL0HB7z6Pn0j for ; Wed, 28 Jan 2026 11:38:38 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "plan-b.pwste.edu.pl", Issuer "GEANT TLS ECC 1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f1KzK5cklz3pl9 for ; Wed, 28 Jan 2026 11:38:37 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Authentication-Results: mx1.freebsd.org; none Received: from [IPV6:2001:678:618:402f:3a4b:2b64:b53f:e6a9] ([IPv6:2001:678:618:402f:3a4b:2b64:b53f:e6a9]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.18.2/8.17.2) with ESMTPSA id 60SBcDBN067704 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 28 Jan 2026 12:38:22 +0100 (CET) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1769600304; bh=Pe9cteaKuMiLHqWa4CYwFNwT3ugyRwZ+kQIuNhQDVPM=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=yCZ0QN3MetL+t3w+mUvAdOIb0NfyTQtA5hFhc4x9zFcKJjkshfY1B930RZSR8W5DU RnSZ0ot8rVkrIGMCODOJi8Ub5gjhlL6Twc2DWDzMvPS0xOmt0/mGh4nBbyIYfmHmkn VohQQ+irc8ngaza3mNxBNF/JHmNJLhqPnGhpj6icf2DibBkx+WQ1WzDcgpRKl6UCwc AGypRI6zyWsr69hOHzi10AHDsht50b10ZUH+qAFcbYezyGYzAnpdRED2Icji83yxpJ gvU7GbLHtfDByQ30wiUoYgTYlMgqYI3X2x27dwigbdThVPAySBUsrZzeG5TyayLoC8 ycHIiBNj/dwdA== Message-ID: Date: Wed, 28 Jan 2026 12:38:02 +0100 List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: we should enable RFC7217 by default To: Brooks Davis Cc: freebsd-current@freebsd.org References: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org> Content-Language: en-US From: Marek Zarychta In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4f1KzK5cklz3pl9 W dniu 28.01.2026 o 11:00, Brooks Davis pisze: > On Tue, Jan 27, 2026 at 03:35:16AM +0330, Pouria Mousavizadeh Tehrani wrote: >> Hi everyone, >> >> With `net.inet6.ip6.use_stableaddr` now available, I believe we should enable >> it by default in CURRENT at least. >> As you may already know, we currently use the EUI64 method for generating >> stable IPv6 addresses, which has serious privacy issues. >> >> IMHO, trying to maintain backward compatibility defeats the purpose of a >> privacy RFC. >> >> To be clear, we don't want to change the ip addresses of existing servers. >> However, it's reasonable for users to expect changes during a major upgrade >> (15 -> 16), a fresh install of a new major release, or living on CURRENT. >> So, for obvious reasons, changing the default value would not be MFCed. >> >> What do you think? > I wonder if we should ship an update to 15 (landing in 15.1) explicitly > adding net.inet6.ip6.use_stableaddr=1 and a suitable comment to > /etc/sysctl.conf so people who later upgrade to 16 aren't painfully > surprised when their server disappears. New installs of 16 would get > the new default, but upgrades would keep the old default. The downside > would be that people who have edited sysctl.conf would have a merge > conflict to resolve, but that's a fairly normal thing. > > -- Brooks > Unfortunately, support for stable privacy (RFC 7217) is not implemented in stable/15, therefore any discussion about introducing this change into 15.1-RELEASE is pointless at the moment. The MFC of stable privacy (RFC 7217) support to stable/15 is under review on the Phabricator. If you support this initiative, please comment on review D54382. Cheers -- Marek Zarychta