Date: Mon, 09 Jun 2008 22:07:20 -0700 From: Doug Barton <dougb@FreeBSD.org> To: freebsd-net@freebsd.org, so@freebsd.org Subject: Proposal: Enable IPv6 Privacy Extensions (RFCs 3041/4941) by default Message-ID: <484E0C08.1060800@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 By default, IPv6 stateless autoconfiguration creates a 64 bit hostid for each interface based on the mac address (for ethernet, but for us that's the common case). This is convenient since if you're using RA neither the user nor the admin has to do anything to get the node on line, it "just works." There is a privacy issue with this however, because this identifier is created in such a way as to make it globally unique, the machine (and therefore in almost all cases the user) can be tracked by third parties such as web sites, even if they move from one network prefix to another, such as with a laptop. To address those privacy concerns RFC 3041 was written, and eventually obsoleted by RFC 4941. ftp://ftp.rfc-editor.org/in-notes/rfc4941.txt Our IPv6 implementation comes with the code to enable this feature, but by default it is turned off. My proposal is to enable it by default, and give the user a knob in rc.conf to turn it off. I'm interested in any arguments y'all might have for or against. To test this is pretty simple, add the following to /etc/sysctl.conf: net.inet6.ip6.use_tempaddr=1 net.inet6.ip6.prefer_tempaddr=1 The "normal" EUI-64-based address will still be configured, but there will also be a random identifier added to the interface as an alias, and outgoing traffic will go out from that address. In way of comparison, windows starting with XP enables this feature by default for clients, and has a knob to enable it for servers. I'd be interested to hear what other systems do. Thoughts? Doug - -- ~ This .signature sanitized for your protection -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEAREDAAYFAkhODAcACgkQyIakK9Wy8PumNgCg8Gi+sa0OYanbVcY1IgGu0S3i 64sAn2edBnEh1YkEeqvKPHrAZnOQAbsr =PNXz -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?484E0C08.1060800>