Bug 1187525 - Enable privacy extensions by default
Summary: Enable privacy extensions by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: NetworkManager
Version: 7.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 7.2
Assignee: Thomas Haller
QA Contact: Desktop QE
Mark Flitter
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-30 10:57 UTC by David Jaša
Modified: 2015-11-19 10:59 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
IPv6 Privacy extensions now enabled by default To determine and set IPv6 privacy settings at device activation, NetworkManager now checks its network configuration in NetworkManager.conf by default, and falls back to "/proc/sys/net/ipv6/conf/default/use_tempaddr" if necessary.
Clone Of:
Environment:
Last Closed: 2015-11-19 10:59:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2315 normal SHIPPED_LIVE Moderate: NetworkManager security, bug fix, and enhancement update 2015-11-19 10:06:58 UTC

Description David Jaša 2015-01-30 10:57:55 UTC
Description of problem:
By default, privacy extensions are disabled when IPv6 is enabled. IMO this is bad default, privacy extensions should be enabled by default with default preference to public address, as specified in:
https://tools.ietf.org/html/rfc4941#section-3.6

Version-Release number of selected component (if applicable):
NetworkManager-1.0.0-10.git20150121.b4ea599c.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. enable ipv6 in IPv6 SLAAC-enabled connection
2. look at "IPv6 Privacy extensions" setting, look at v6 addresses on the interface
3.

Actual results:
"Disabled", only public and link-local v6 addresses are configured

Expected results:
"Enabled (prefer public address)", link-local, public and temporary addresses are configured.

Additional info:

Comment 1 Vladimir Benes 2015-01-30 12:20:42 UTC
you can easily do:
nmcli connection modify $connection ipv6.ip6-privacy [1,2]

Nevertheless, this says nothing about the defaults.

Comment 2 David Jaša 2015-01-30 14:37:13 UTC
(In reply to Vladimir Benes from comment #1)
> you can easily do:
> nmcli connection modify $connection ipv6.ip6-privacy [1,2]
> 
> Nevertheless, this says nothing about the defaults.

Yeah. Doing it for each and every connection is pretty onerous and forgetting-prone. The default settings should be good.

Comment 3 Thomas Haller 2015-06-05 13:05:12 UTC
Upstream merged http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=18ecf48d7a9d03194db1b65ef46e386284426f89


With those patches, you can now configure ipv6.ip6-privacy

 1) per-connection
 2) fallback to NM-wide config in NetworkManager.conf
 3) fallback to /proc/sys/net/ipv6/conf/default/use_tempaddr

We no longer read the static files /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf as we used to.

But instead we fallback to /proc/sys/net/ipv6/conf/default/use_tempaddr (3), which means that the ultimate default-value is not determined by the NetworkManager.conf package.
That has the advantage, that the same default value is used for autoconf in kernel (accept_ra).
I prefer that NM does not define it's own default-value, but falls back to other configuration.


To fix this bug for NM, we need the upstream mentioned patches 18ecf48d.


But note that the ~default~ value is still not determined by NM package.


With this to configure a default-value either:

a) put a file /etc/NetworkManager/conf.d/01-default-ip6-privacy.conf:
    [connection.ip6-privacy]
    ipv6.ip6-privacy=1
b) or a file /etc/sysctl.d/99-default-ip6-privacy.conf:
    net.ipv6.conf.default.use_tempaddr=1



How does that sound?

Comment 4 Jirka Klimes 2015-06-19 10:23:10 UTC
The change is now also in nm-1-0 branch which will make it to RHEL 7.2.
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-0&id=2f51ba50df8341370ab1f480f9ec6d60cd32ece2

Comment 6 Vladimir Benes 2015-09-04 11:40:39 UTC
Default privacy can now be configured system wide or per connection on all supported architectures.

Comment 7 errata-xmlrpc 2015-11-19 10:59:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2315.html


Note You need to log in before you can comment on or make changes to this bug.