You are not logged in.

#1 2013-10-21 16:54:17

alroar
Member
Registered: 2012-10-15
Posts: 27

IPv6 privacy extensions not working

Hello fellow Archers,

i have a little problem with IPv6. I had it deactived a long time, since i had no use for it. Now it was time for me to start playing around and get in touch with it.

I do not have a DHCP for IPv6 active, so the Systems are assign themselves fe80:: adresses, which works fine, only that my 3.11.6-1 Arch box does not respect the privacy settings, and always generates a local link adress from it´s MAC, on both eth0 and wlan0. The machine is a thinkpad x200, running arch-kernel 3.11.6-1, xfce4.10 and network-manager.

alroar@x200 ~ % ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.101  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::221:6aff:fe0e:6136  prefixlen 64  scopeid 0x20<link>
        ether 00:21:6a:0e:61:36  txqueuelen 1000  (Ethernet)
        RX packets 31363  bytes 29689573 (28.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16210  bytes 2130728 (2.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I added the settings, like mentioned in the archwiki, into /etc/sysctl.d/30_ipv6_privacy_extensions :

# Enable IPv6 Privacy Extensions
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.eth0.use_tempaddr=2
net.ipv6.conf.wlan0.use_tempaddr=2

but my system seems to ignore it on my 2 interfaces:

alroar@x200 ~ % sudo sysctl net/ipv6/conf/all/use_tempaddr                                                                                                                     :(
net.ipv6.conf.all.use_tempaddr = 2
alroar@x200 ~ % sudo sysctl net/ipv6/conf/wlan0/use_tempaddr 
net.ipv6.conf.wlan0.use_tempaddr = 0

Any ideas how to get privacy extensions working? It´s propably just a OSI Layer 8 error...  big_smile
Thanks in advance!


PS:  Does anyone know it ufw keeps working on ipv6 per default and a maybe knows good way to check it?  I don´t want to make my machine insecure by playing with ipv6. thanks!

Last edited by alroar (2013-10-21 16:58:52)

Offline

#2 2013-10-22 10:09:13

Foucault
Member
From: Athens, Greece
Registered: 2010-04-06
Posts: 214

Re: IPv6 privacy extensions not working

I don't think privacy extensions apply to link-local (FE80::/10) addresses, only to those handed out by SLAAC and I don't think there is really a point to it since they are not supposed to be routable anyway (the link-locals that is). Your router will not forward fe80::/10 addressed packets, provided you have an IPv6 enabled router. In my system SLAAC address are scrambled but link-local is not.

Last edited by Foucault (2013-10-22 11:59:22)

Offline

#3 2013-10-22 17:03:17

alroar
Member
Registered: 2012-10-15
Posts: 27

Re: IPv6 privacy extensions not working

Thank you for that response, sounds logical, sort of. My Win7 Box (and 4 others i tested), use privacy extensions on link-local by default, so i thought this would be kind of default by an RFC.

Im especially thinking of the situation where you move in a public, open wifi. Moving through multiple stations leaves a footprint of your MAC behind you, making your moves tracable. I am trying to be as anonymous as i can, why should anyone be bothered with my mac adress? Like you said, the link-local adress doesn´t get routed, but still appears and could be logged by bridges. And yes, i know my MAC appears aswell, but that´s what we have spoofing for.

Offline

#4 2013-12-12 01:45:55

Aldaris
Member
Registered: 2013-06-06
Posts: 9

Re: IPv6 privacy extensions not working

Hi,

I found this thread when I ran into the same problem today. I use NetworkManager, so this may not apply to your problem.

NetworkManager overrides the settings in /etc/sysctl.d/*.conf. To enable IPv6 Privacy Extensions there seem to be 2 options.

1. Add a line "ip-privacy=2" to the [ipv6] section in your connection file in /etc/NetworkManager/system-connections/.

Found here:
https://fedoraproject.org/wiki/Tools/Ne … nager/IPv6

2. Create a file /etc/sysctl.conf with the option "net.ipv6.conf.default.use_tempaddr=2". This file seems to be ignored by everything but NetworkManager while NetworkManager applies this option to any NIC.

Found here:
http://blog.stefan-betz.net/2013/02/24/ … rkmanager/
(German)

The link-local address still contains the MAC address, but as Foucault wrote, it should only be visible where your MAC address itself is visible anyway. Also the autoconf address with your MAC generated from the router advertisement will still be there, but here it is not used for outgoing traffic anymore.

Last edited by Aldaris (2013-12-12 01:55:19)

Offline

#5 2013-12-12 09:48:50

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: IPv6 privacy extensions not working

Aldaris wrote:

2. Create a file /etc/sysctl.conf with the option "net.ipv6.conf.default.use_tempaddr=2". This file seems to be ignored by everything but NetworkManager while NetworkManager applies this option to any NIC.

/etc/sysctl.conf is not used anymore.

alroar wrote:
alroar@x200 ~ % ifconfig wlan0

Oh my god. Do not use ifconfig. It has been deprecated for over a decade and its ipv6 capabilities are somewhere between limited and non-existent. It uses deprecated kernel interfaces and has a very limiting syntax. You should learn to use the 'ip' tool.

Offline

#6 2013-12-12 15:37:31

Aldaris
Member
Registered: 2013-06-06
Posts: 9

Re: IPv6 privacy extensions not working

brain0 wrote:

/etc/sysctl.conf is not used anymore.

Obviously, but NetworkManager does not seem to know this yet. ;-)

Offline

#7 2013-12-12 21:38:02

alroar
Member
Registered: 2012-10-15
Posts: 27

Re: IPv6 privacy extensions not working

Many thanks, Brain0 and Aldaris. As a matter of fact, i use NetworkManager as well. This reminds me of an dirty hack on NM when it would override some other files aswell... but thats history.

Thats some helpful information there, its a least a usable workaround. However i would love NetworkManager to give an option to opt-in privacy extensions instead of reading deprecated files. As speeking of deprecated, thanks for that ifconfig hint, did not know that it was already sinking, will read some man-pages of ip.


Thank you for using this post, have a great night.

Last edited by alroar (2013-12-12 21:38:48)

Offline

#8 2013-12-13 05:13:57

Aldaris
Member
Registered: 2013-06-06
Posts: 9

Re: IPv6 privacy extensions not working

alroar wrote:

However i would love NetworkManager to give an option to opt-in privacy extensions instead of reading deprecated files.

Option 1 does that. Unfortunately, nm-applet does not offer that option, so you have to edit your connection files manually, maybe even insert the option after every change, I did not test that. That's why I prefer using sysctl.conf for now.

Offline

#9 2013-12-13 06:11:54

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: IPv6 privacy extensions not working

Aldaris wrote:

That's why I prefer using sysctl.conf for now.

As mentioned by brain0 already /etc/sysctl.conf is not used anymore.

Offline

#10 2013-12-13 06:33:49

Aldaris
Member
Registered: 2013-06-06
Posts: 9

Re: IPv6 privacy extensions not working

WonderWoofy wrote:

As mentioned by brain0 already /etc/sysctl.conf is not used anymore.

Seems to be hardcoded into NetworkManager. Before you continue complaining, maybe someone should change that first. ;-)

Offline

#11 2013-12-13 06:56:05

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: IPv6 privacy extensions not working

Aldaris wrote:
WonderWoofy wrote:

As mentioned by brain0 already /etc/sysctl.conf is not used anymore.

Seems to be hardcoded into NetworkManager. Before you continue complaining, maybe someone should change that first. ;-)

Right, it is hardcoded. networkmanager reads the key net.ipv6.conf.default.use_tempaddr from either /etc/sysctl.conf or /lib/sysctl.d/sysctl.conf
Maybe it would be better to read /proc/sys/net/ipv6/conf/default/use_tempaddr here.

http://cgit.freedesktop.org/NetworkMana … 0fd4#n2702


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#12 2013-12-13 16:09:08

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: IPv6 privacy extensions not working

Aldaris wrote:

Seems to be hardcoded into NetworkManager. Before you continue complaining, maybe someone should change that first. ;-)

Oooohhh, I see.  I missed your post above about NM not knowing this yet.  From the first post it sounded to me like NM ignored all the sysctl stuff and simply took its own config files.  But what you're saying is that one of those files that it honors is /etc/sysctl.conf!  I get it!

Sorry about the noise.

Offline

#13 2013-12-21 19:10:52

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: IPv6 privacy extensions not working

brain0 wrote:
Aldaris wrote:

2. Create a file /etc/sysctl.conf with the option "net.ipv6.conf.default.use_tempaddr=2". This file seems to be ignored by everything but NetworkManager while NetworkManager applies this option to any NIC.

/etc/sysctl.conf is not used anymore.

The configuration via "tempaddr" is getting a change as well in kernel 3.13: http://git.kernel.org/cgit/linux/kernel … 2a87e9ceb4

Offline

#14 2013-12-22 00:01:04

brain0
Developer
From: Aachen - Germany
Registered: 2005-01-03
Posts: 1,382

Re: IPv6 privacy extensions not working

Strike0 wrote:

The configuration via "tempaddr" is getting a change as well in kernel 3.13: http://git.kernel.org/cgit/linux/kernel … 2a87e9ceb4

???? This doesn't change anything.

Offline

Board footer

Powered by FluxBB