Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Jan 2026 18:17:27 +0000
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
Cc:        freebsd-current@freebsd.org, madpilot@freebsd.org
Subject:   Re: we should enable RFC7217 by default
Message-ID:  <aecexj2ljvrt343rqcywqvfy7mbr7vqppiklxqbs6bcrhvm3l7@f4uatudmhcku>
In-Reply-To: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
On Tue, Jan 27, 2026 at 03:35:16AM +0330, Pouria Mousavizadeh Tehrani wrote:
> Hi everyone,
> 
> With `net.inet6.ip6.use_stableaddr` now available, I believe we should
> enable it by default in CURRENT at least.
> As you may already know, we currently use the EUI64 method for generating
> stable IPv6 addresses, which has serious privacy issues.
> 
> IMHO, trying to maintain backward compatibility defeats the purpose of a
> privacy RFC.
> 
> To be clear, we don't want to change the ip addresses of existing servers.
> However, it's reasonable for users to expect changes during a major upgrade
> (15 -> 16), a fresh install of a new major release, or living on CURRENT.
> So, for obvious reasons, changing the default value would not be MFCed.
> 
> What do you think?

I think this would be a good step for FreeBSD. In HardenedBSD, we set
net.inet6.ip6.{prefer,use}_tempaddr to 1, which creates completely
random IPv6 addresses (scoped to the prefix, of course).

The one thing I would hope is that support for completely random IPv6
addresses via SLAAC does not go the way of the dodo.

(If net.inet6.ip6.use_stableaddr becomes the default, we will likely
keep it at 0 in favor of the other aforementioned sysctl nodes.)

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAml5ASYACgkQ/y5nonf4
4foUFxAAjQwjT0ntjCjb+8u2lqpzr7E7XzNZEAf9Y+NWZD8ZXKHohpazkfKzhBuU
pEPMvh24nJywlwN6BxF/csJPa+3yJISNsiySxP9O7jmGkIasO7Y9PC2m7v+i3+GI
zbF41+k867WSH5GV06+2TeA4QJ7bIHEHHPlBvP98I/aCaMUTXHV3CVFCIuNsDovy
9caZPPIxGf93J0X7PnlxMJmTz//HTIiQeZbUPH7zHAKMmYkqqMbYenM8ifO/ZmBH
EiPaBIMe9rVYcEzZ+pIawaC7YAIMJWgVVfNr3AFtDWEaktUgVEX8VNoI6HDmgz0G
cUAkpH9M6uCH446P605dyoalqI4eagnwfjR7aDmTp5z9Afsl/+nVhvn8rdsXarcB
ydBCBxfLuq81YiXlpWKouWwG8NZh96Ov+GfcRAzne9lm+LXzGbU1cRZFUuUciu+C
1nV0DxLmRM53XncydsiHTOXj0C2y/BFjjh8OoTDavSq5AoBFY/k6hJ4Bwf4Z2wHl
6gO1BGBb5JZPwYHsTh/CiVFFuuNTVUMyi6OXx40X5ehex7CAgci7M/y9UKkddsCQ
+Ur68V2xRqilNJ6fT2odGZoVpJkK5jGWBDoFiCgJQGxry0i2vyUpLc5PiXXHAUCM
ez3IQNZ/FDGBftzMouC9FiGTdJ81Kl2o7S8LCPSXkdxSAF/iue8=
=JSIK
-----END PGP SIGNATURE-----
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aecexj2ljvrt343rqcywqvfy7mbr7vqppiklxqbs6bcrhvm3l7>