Date: Tue, 27 Jan 2026 19:17:18 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Guido Falsi <madpilot@FreeBSD.org> Cc: freebsd-current@freebsd.org Subject: Re: we should enable RFC7217 by default Message-ID: <n7aw5afsi5nclf5z4p4txyh2ixrsik2ludwcbrhmszce2ohzlf@ngx6ukw2il7t> In-Reply-To: <0f5fcd3d-b189-49f5-ac81-d4fb48d90a77@FreeBSD.org> References: <9cda2fbc-b8fb-44d1-8c1f-88395d741af7@FreeBSD.org> <aecexj2ljvrt343rqcywqvfy7mbr7vqppiklxqbs6bcrhvm3l7@f4uatudmhcku> <0f5fcd3d-b189-49f5-ac81-d4fb48d90a77@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
On Tue, Jan 27, 2026 at 07:27:28PM +0100, Guido Falsi wrote:
> On 1/27/26 19:17, Shawn Webb wrote:
> > On Tue, Jan 27, 2026 at 03:35:16AM +0330, Pouria Mousavizadeh Tehrani wrote:
> > > Hi everyone,
> > >
> > > With `net.inet6.ip6.use_stableaddr` now available, I believe we should
> > > enable it by default in CURRENT at least.
> > > As you may already know, we currently use the EUI64 method for generating
> > > stable IPv6 addresses, which has serious privacy issues.
> > >
> > > IMHO, trying to maintain backward compatibility defeats the purpose of a
> > > privacy RFC.
> > >
> > > To be clear, we don't want to change the ip addresses of existing servers.
> > > However, it's reasonable for users to expect changes during a major upgrade
> > > (15 -> 16), a fresh install of a new major release, or living on CURRENT.
> > > So, for obvious reasons, changing the default value would not be MFCed.
> > >
> > > What do you think?
> >
> > I think this would be a good step for FreeBSD. In HardenedBSD, we set
> > net.inet6.ip6.{prefer,use}_tempaddr to 1, which creates completely
> > random IPv6 addresses (scoped to the prefix, of course).
> >
> > The one thing I would hope is that support for completely random IPv6
> > addresses via SLAAC does not go the way of the dodo.
> >
> > (If net.inet6.ip6.use_stableaddr becomes the default, we will likely
> > keep it at 0 in favor of the other aforementioned sysctl nodes.)
>
> Those are two orthogonal things.
>
> stableaddress enabled replaces the current algorithm for deriving the main
> interface address, that stays attached to the interface indefinitely.
>
> tempaddr creates additional addresses for the interface that are used (and
> preferred if the prefer flag is enabled) for outgoing connections, and are
> generated again periodically, with old ones remaining attached to the
> interface, since old connections could still use them, till reboot.
>
> The two can live together, there is no reason to disable one of them.
>
>
> BTW while developing my patch, in one of the first iterations, I did break
> the tempaddr mechanism, so I can assure you I took special care for them to
> not interfere with each other.
Seems I was indeed a bit confused. Thank you for the explanation.
So looking at one of my current SLAAC systems, I see:
==== BEGIN LOG ====
bridge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=10<VLAN_HWTAGGING>
ether 58:9c:fc:10:d7:7e
inet 192.168.1.251 netmask 0xfffff000 broadcast 192.168.15.255
inet6 fe80::5a9c:fcff:fe10:d77e%bridge0 prefixlen 64 scopeid 0x3
inet6 2001:470:4001:1:5a9c:fcff:fe10:d77e prefixlen 64 autoconf pltime 14400 vltime 86400
inet6 2001:470:4001:1:c001:f868:c587:cdd7 prefixlen 64 deprecated autoconf temporary pltime 0 vltime 44033
inet6 2001:470:4001:1:c139:85be:79b3:e3ec prefixlen 64 autoconf temporary pltime 12610 vltime 86400
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
bridge flags=0<>
==== END LOG ====
From what I understand now, the only thing that would change is the
2001:470:4001:1:5a9c:fcff:fe10:d77e address. Instead of incorporating
the MAC address in that IP address, it would be the stableaddr
address.
Amy I understanding that correctly?
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAml5DzcACgkQ/y5nonf4
4frOnw/+Mz23x5L4cwWKgFFvG8vvI1wsPXRbBImUH8udnzClfB4sY9iCoFPy25tR
ZcVEzKyrVwb0fQXiYHj8F9QuGry6U3uEzk2g8k6B2jcYkU8oE86Gy2z5B6kt3Nlk
3vmN/8MjK8b3VEoYKwoTi5ZP2H1l/r1sXio+LXWosjI1we5jb0r+JTGu+KE23Wc9
uAv0PXpvdUlV14cV26boD0eLYxEP62HoruBuwGX7AyRX7mlX4On+di/RKpnr1WlD
NLDW+qGrvBq9jAISwHY3zJtBUn63T4SSI051ZW7micNy9AMMmBsf8R73UxQn1ZE/
jOXJiqbqZ9pwf07ruTcAAeyVjSQhK/k4T740b6vpfenv38oG0MdwDH+m3fj8psad
xF8n9tH1o2A0hPukC8pAS/rQC555oCiJ9Qkwz/sFhv42Qs0KmoblXwuc/t5Wl6xI
/3VXItOgRkzCyd5tSV75Qd0nH38DvYe9jMtP8V0A+7WJBws81EWzXkc5T5VlZM/v
2+xOMDR5KRAxpug5DhRKHXlucXzyyHcne9P2yVR6SZ8zQ+Erp/xYWj9QbysY00TB
MhmiSujbUuwb3VSURNvrcwlAEBwrX3wbgN8zd/Mp52uchJ4ZxOlbH2WzrtHndET1
Y34QAXi3OzEgzoSyEmN2btRpq65o3lo+VkrQ5v8nTzMSy14zswQ=
=FM5C
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?n7aw5afsi5nclf5z4p4txyh2ixrsik2ludwcbrhmszce2ohzlf>