From nobody Wed Jan 28 11:56:02 2026 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f1LMd23rfz6Ppqp for ; Wed, 28 Jan 2026 11:56:13 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smtp-relay-int-backup.realworks.nl (smtp-relay-int-backup.realworks.nl [87.255.56.188]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4f1LMb0Snkz3rh8; Wed, 28 Jan 2026 11:56:10 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=klop.ws header.s=rw2 header.b=sGyHlRe9; dmarc=pass (policy=quarantine) header.from=klop.ws; spf=pass (mx1.freebsd.org: domain of ronald-lists@klop.ws designates 87.255.56.188 as permitted sender) smtp.mailfrom=ronald-lists@klop.ws Received: from smtp-relay-int-backup.realworks.nl (crmpreview3.colo2.realworks.nl [10.2.52.33]) by mailrelayint1.colo2.realworks.nl (Postfix) with ESMTP id 4f1LMQ4z8NzBG; Wed, 28 Jan 2026 12:56:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=klop.ws; s=rw2; t=1769601362; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kntlzzzQpjCxWY4v75SaU4bxpMB9Z4h4dMzGJttrr2k=; b=sGyHlRe9okwR5U6od880LhfMyHFnwxfPg4Yjo/cu17xCvIMmMON5GWqyba/nZ4yHMtWs4r 7c5VQIpmHPLBanvcsIJq5WZEvM32gkmkZcrWG2boiDKMIqGC7HKbEPO2NKShfK3tU/lk46 xYNIS6VoiJFK0yWVJVNk0d8jbU+IqSlzMmlWc+i+28sA+36TO2E7+vF9G+mhzaq+VwPmCI lTON66LB0HD/sjrrQbkR22OWTJ2F+50tWSSi9B4uwmoZN73eWwGUU+93nuyUxP4zx93Cw0 +MUonK6mytQY8ZprhUxuru6tXl6hPlyLK4rUxOWTxQl23hgJ9FU6WTYCn9MgFw== Received: from crmpreview3.colo2.realworks.nl (localhost [127.0.0.1]) by crmpreview3.colo2.realworks.nl (Postfix) with ESMTP id A58B2140163; Wed, 28 Jan 2026 12:56:02 +0100 (CET) Date: Wed, 28 Jan 2026 12:56:02 +0100 (CET) From: Ronald Klop To: Pouria Mousavizadeh Tehrani Cc: freebsd-current@freebsd.org, madpilot@freebsd.org Message-ID: <1160596598.791.1769601362263@localhost> In-Reply-To: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org> References: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org> Subject: Re: we should enable RFC7217 by default List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_790_1097856801.1769601362202" X-Mailer: Realworks (780.44) X-Originating-Host: from (89-20-164-210.static.ef-service.nl [89.20.164.210]) by crmpreview3.colo2.realworks.nl [10.2.52.33] with HTTP; Wed, 28 Jan 2026 12:56:02 +0100 Importance: Normal X-Priority: 3 (Normal) X-Originating-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0 X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.998]; DMARC_POLICY_ALLOW(-0.50)[klop.ws,quarantine]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[klop.ws:s=rw2]; R_SPF_ALLOW(-0.20)[+ip4:87.255.56.128/26]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; HAS_X_PRIO_THREE(0.00)[3]; RCPT_COUNT_THREE(0.00)[3]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; DKIM_TRACE(0.00)[klop.ws:+] X-Rspamd-Queue-Id: 4f1LMb0Snkz3rh8 ------=_Part_790_1097856801.1769601362202 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Van: Pouria Mousavizadeh Tehrani Datum: dinsdag, 27 januari 2026 01:05 Aan: freebsd-current@freebsd.org CC: madpilot@freebsd.org Onderwerp: we should enable RFC7217 by default > > Hi everyone, > > With `net.inet6.ip6.use_stableaddr` now available, I believe we should enable it by default in CURRENT at least. > As you may already know, we currently use the EUI64 method for generating stable IPv6 addresses, which has serious privacy issues. > > IMHO, trying to maintain backward compatibility defeats the purpose of a privacy RFC. > > To be clear, we don't want to change the ip addresses of existing servers. However, it's reasonable for users to expect changes during a major upgrade (15 -> 16), a fresh install of a new major release, or living on CURRENT. > So, for obvious reasons, changing the default value would not be MFCed. > > What do you think? > > -- > Pouria > > > > Hi, Totally agree with your proposal. I had a similar change to if_epair in 15.0. https://cgit.freebsd.org/src/commit?id=3a2d4a1017e57f19f5a101da15acbdd861d353ae The sysctl was merged to 14, but the default was kept 0 on that branch. In 16 you can document the change in UPDATING Commit it with "Relnotes: yes" so the change of the default also ends up in the release notes when 16.0 is released. IMHO that is all the effort we can do. And as said earlier by somebody else, if an admin really needs a fixed IPv6 address the user would have configured it differently already or would do proper production testing after a major upgrade. So I think we should not make flipping the default harder than it has to be: UPDATING, Relnotes and maybe an heads-up mail on current. Regards, Ronald. ------=_Part_790_1097856801.1769601362202 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

Van: Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
Datum: dinsdag, 27 januari 2026 01:05
Aan: freebsd-current@freebsd.org
CC: madpilot@freebsd.org
Onderwerp: we should enable RFC7217 by default

Hi everyone,

With `net.inet6.ip6.use_stableaddr` now available, I believe we should enable it by default in CURRENT at least.
As you may already know, we currently use the EUI64 method for generating stable IPv6 addresses, which has serious privacy issues.

IMHO, trying to maintain backward compatibility defeats the purpose of a privacy RFC.

To be clear, we don't want to change the ip addresses of existing servers. However, it's reasonable for users to expect changes during a major upgrade (15 -> 16), a fresh install of a new major release, or living on CURRENT.
So, for obvious reasons, changing the default value would not be MFCed.

What do you think?

-- 
Pouria
 


Hi,

Totally agree with your proposal.

I had a similar change to if_epair in 15.0.
https://cgit.freebsd.org/src/commit?id=3a2d4a1017e57f19f5a101da15acbdd861d353ae
The sysctl was merged to 14, but the default was kept 0 on that branch.

In 16 you can document the change in UPDATING Commit it with "Relnotes: yes" so the change of the default also ends up in the release notes when 16.0 is released.

IMHO that is all the effort we can do. And as said earlier by somebody else, if an admin really needs a fixed IPv6 address the user would have configured it differently already or would do proper production testing after a major upgrade. So I think we should not make flipping the default harder than it has to be: UPDATING, Relnotes and maybe an heads-up mail on current.

Regards,
Ronald.
  ------=_Part_790_1097856801.1769601362202--