From nobody Tue Apr  1 20:11:04 2025
X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZRzg70k3Lz5s3fV
	for <freebsd-net@mlmmj.nyi.freebsd.org>; Tue, 01 Apr 2025 20:12:03 +0000 (UTC)
	(envelope-from cross+freebsd@relay.distal.com)
Received: from relay.wiredblade.com (relay.wiredblade.com [168.235.95.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZRzg55nhXz3R9P
	for <freebsd-net@freebsd.org>; Tue, 01 Apr 2025 20:12:01 +0000 (UTC)
	(envelope-from cross+freebsd@relay.distal.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=relay.distal.com header.s=mail header.b=gj03CHHl;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of cross+freebsd@relay.distal.com designates 168.235.95.80 as permitted sender) smtp.mailfrom=cross+freebsd@relay.distal.com
dkim-signature: v=1; a=rsa-sha256; d=relay.distal.com; s=mail;
	c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type:Content-Transfer-Encoding:In-Reply-To:References;
	bh=OgeK/N7xPc5YbYmm+DvV0kmg01YdgznZKSZMrKIXtbQ=;
	b=gj03CHHlYQic1YsaIMV984xDTAbKovBSnqxdJ6WHjknHusr2+3CoXJlHbFp43NG549bV9e20m5pwUu9X4kZQTRG1iYxPw3UnFJx1ko/UB/xiPoZZGp35NrIzLkAialDCIk0i/5qPH3vvbv8r12LgZ3vKMXKOM/xQ8+4jq8UNNQgu6upzaPfT6AIDAV1kcj6/aAW1WrKqk48D8gEqS1EXNOQP1f8zqIoMvndUd4qeWvRP50DtSV96T+9LVM
	COfvY9EECvcUcSYGFAuMuatrc4pZT9sIdNOSOUXEZBIonuQiO4Rq3QvwkQH/XSUQu8l8moyU45PHTTwid7NjESWbRdrA==
Received: from mail.distal.com (pool-108-51-233-124.washdc.fios.verizon.net [108.51.233.124])
 by relay.wiredblade.com with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305
 bits=256) ; Tue, 1 Apr 2025 20:11:43 +0000
Received: from smtpclient.apple (<unknown> [2600:4040:2c9d:5220:1c58:841a:2d62:63b3])
 by tristain.distal.com (OpenSMTPD) with ESMTPSA id e497e9a1 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO);
 Tue, 1 Apr 2025 16:11:41 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.400.131.1.6\))
Subject: Re: RFC4941 IPv6 privacy knobs and how to set them
From: Chris Ross <cross+freebsd@distal.com>
In-Reply-To: <b251f1ee-a77f-41ea-8309-cb5780404e8f@plan-b.pwste.edu.pl>
Date: Tue, 1 Apr 2025 16:11:04 -0400
Cc: freebsd-net@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <88DB625A-DCC1-4198-BAB9-8281CA07393D@distal.com>
References: <EB360A00-2CFB-439F-918E-1C7450BB9BB6@distal.com> <b251f1ee-a77f-41ea-8309-cb5780404e8f@plan-b.pwste.edu.pl>
To: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
X-Mailer: Apple Mail (2.3826.400.131.1.6)
X-Spamd-Result: default: False [-3.61 / 15.00];
	RBL_SENDERSCORE_REPUT_9(-1.00)[168.235.95.80:from];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-0.999];
	NEURAL_HAM_SHORT(-0.91)[-0.909];
	MV_CASE(0.50)[];
	FORGED_SENDER(0.30)[cross@distal.com,cross@relay.distal.com];
	R_DKIM_ALLOW(-0.20)[relay.distal.com:s=mail];
	R_SPF_ALLOW(-0.20)[+a:relay.dynu.com];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_TLS_ALL(0.00)[];
	TAGGED_FROM(0.00)[freebsd];
	DMARC_NA(0.00)[distal.com];
	RCPT_COUNT_TWO(0.00)[2];
	DKIM_TRACE(0.00)[relay.distal.com:+];
	ARC_NA(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_NEQ_ENVFROM(0.00)[cross@distal.com,cross@relay.distal.com];
	ASN(0.00)[asn:3842, ipnet:168.235.92.0/22, country:US];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-net@freebsd.org];
	RWL_MAILSPIKE_POSSIBLE(0.00)[168.235.95.80:from];
	TO_DN_SOME(0.00)[]
X-Rspamd-Queue-Id: 4ZRzg55nhXz3R9P
X-Spamd-Bar: ---



> On Mar 31, 2025, at 16:05, Marek Zarychta =
<zarychtam@plan-b.pwste.edu.pl> wrote:
> Hello Chris,
>=20
> our ip6 network stack is old and likely still relying on the older RFC =
3041, even though RFC 4941 is mentioned in the man pages. However, both =
have been obsoleted by RFC 8981. If you're open to experimentation, you =
can apply the patch from PR 245103 to push things further.
>=20
> I have always set these sysctl knobs to 1, but I only use privacy =
extensions on PCs and laptops - never on routers.

I wish I knew why I set them to 2. :-/. If I _wanted_ them set to 1, =
then I could use the knob in rc.conf.  I know I have some complaints =
about the privacy things being done with MAC address and IPv6 addresses, =
because I need my IPv6 addresses to be predictable for DNS.  Trying to =
figure out how to get (1) [information] secure and (2) =
predictable/repeatable addresses so I can set up forward and reverse DNS =
has been challenging=E2=80=A6.

Though, mostly that=E2=80=99s an issue for the client machines on the =
network, not the router.  The router mostly has hard-set IPv6 addresses, =
since it is after all, a router. Maybe I was trying to adjust in some =
way the upstream to my ISP.  There isn=E2=80=99t any SLACC going on on =
my router at the moment though, I don=E2=80=99t think, so this may be =
some left-over from my trials and tribulations last year getting the =
IPv6 allocation from Verizon up and running.

So, no-one knows any reason why these numbers being =E2=80=9C2=E2=80=9D =
could mean anything?  If so I=E2=80=99ll pull that out of my config.

          - Chris=