Red Hat Bugzilla – Bug 1187525
Enable privacy extensions by default
Last modified: 2015-11-19 05:59:48 EST
Description of problem: By default, privacy extensions are disabled when IPv6 is enabled. IMO this is bad default, privacy extensions should be enabled by default with default preference to public address, as specified in: https://tools.ietf.org/html/rfc4941#section-3.6 Version-Release number of selected component (if applicable): NetworkManager-1.0.0-10.git20150121.b4ea599c.el7.x86_64 How reproducible: always Steps to Reproduce: 1. enable ipv6 in IPv6 SLAAC-enabled connection 2. look at "IPv6 Privacy extensions" setting, look at v6 addresses on the interface 3. Actual results: "Disabled", only public and link-local v6 addresses are configured Expected results: "Enabled (prefer public address)", link-local, public and temporary addresses are configured. Additional info:
you can easily do: nmcli connection modify $connection ipv6.ip6-privacy [1,2] Nevertheless, this says nothing about the defaults.
(In reply to Vladimir Benes from comment #1) > you can easily do: > nmcli connection modify $connection ipv6.ip6-privacy [1,2] > > Nevertheless, this says nothing about the defaults. Yeah. Doing it for each and every connection is pretty onerous and forgetting-prone. The default settings should be good.
Upstream merged http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=18ecf48d7a9d03194db1b65ef46e386284426f89 With those patches, you can now configure ipv6.ip6-privacy 1) per-connection 2) fallback to NM-wide config in NetworkManager.conf 3) fallback to /proc/sys/net/ipv6/conf/default/use_tempaddr We no longer read the static files /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf as we used to. But instead we fallback to /proc/sys/net/ipv6/conf/default/use_tempaddr (3), which means that the ultimate default-value is not determined by the NetworkManager.conf package. That has the advantage, that the same default value is used for autoconf in kernel (accept_ra). I prefer that NM does not define it's own default-value, but falls back to other configuration. To fix this bug for NM, we need the upstream mentioned patches 18ecf48d. But note that the ~default~ value is still not determined by NM package. With this to configure a default-value either: a) put a file /etc/NetworkManager/conf.d/01-default-ip6-privacy.conf: [connection.ip6-privacy] ipv6.ip6-privacy=1 b) or a file /etc/sysctl.d/99-default-ip6-privacy.conf: net.ipv6.conf.default.use_tempaddr=1 How does that sound?
The change is now also in nm-1-0 branch which will make it to RHEL 7.2. http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-0&id=2f51ba50df8341370ab1f480f9ec6d60cd32ece2
Default privacy can now be configured system wide or per connection on all supported architectures.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2315.html