Bug 790610

Summary: RFE: enable ipv6 privacy enhancements by default
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: collura, dwmw2, iarlyy, initscripts-maint-list, jonathan, lnykryn, mjw, notting, plautrba, rick+rhbugzilla, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-23 14:24:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Hans de Goede 2012-02-14 22:26:04 UTC 
In a network that uses stateless autoconfiguration with router advertisements,
every node will assign to itself a unique IP address. Our current config uses
the MAC address as par of this unique IP address. Using the MAC address
uniquely identifies a certain computer, parties you connect to
can use it to track your location even without the use of cookies.

IPv6 Privacy Extensions can be used to randomize the IP address that is used
for outgoing connections, making it unsuitable for tracking. Linux supports this,
but unlike Windows, under Linux it is not enabled by default. Please enable
this by default, by adding the following line to sysctl.conf:

net.ipv6.conf.all.use_tempaddr = 2
Comment 1 Bill Nottingham 2012-02-15 21:54:25 UTC 
Is there any reason we wouldn't want to set this on the kernel side?
Comment 2 Rick V. 2012-03-12 14:12:18 UTC 
The biggest reason to not enable this by default in the kernel is that there is no support for that.

--Quote--
Privacy Extensions for Stateless Address Autoconfiguration in IPv6        
support.  With this option, additional periodically-altered               
pseudo-random global-scope unicast address(es) will be assigned to        
your interface(s).                                                        
                                                                          
We use our standard pseudo-random algorithm to generate the               
randomized interface identifier, instead of one described in RFC 3041.    
                                                                          
By default the kernel does not generate temporary addresses.              
To use temporary addresses, do                                            
                                                                          
      echo 2 >/proc/sys/net/ipv6/conf/all/use_tempaddr                    
                                                                          
See <file:Documentation/networking/ip-sysctl.txt> for details.
--/Quote--


Besides that, to not be so different from other distro's I would recommend enabling it in /etc/sysctl.conf.
Comment 3 David Woodhouse 2012-08-23 14:24:06 UTC 
Please don't do this insane thing. Let the registered tinfoil-hat wearers set it, but leave reverse DNS and sane behaviour working for the rest of us.

NM should have a way for those users to enable it though; let's close this bug as a duplicate of bug 828931

*** This bug has been marked as a duplicate of bug 828931 ***