Proposal: Enable IPv6 Privacy Extensions (RFCs 3041/4941) by
default
Rui Paulo
rpaulo at FreeBSD.org
Tue Jun 10 16:01:52 UTC 2008
On Mon, Jun 09, 2008 at 10:07:20PM -0700, Doug Barton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> By default, IPv6 stateless autoconfiguration creates a 64 bit hostid
> for each interface based on the mac address (for ethernet, but for us
> that's the common case). This is convenient since if you're using RA
> neither the user nor the admin has to do anything to get the node on
> line, it "just works." There is a privacy issue with this however,
> because this identifier is created in such a way as to make it
> globally unique, the machine (and therefore in almost all cases the
> user) can be tracked by third parties such as web sites, even if they
> move from one network prefix to another, such as with a laptop.
>
> To address those privacy concerns RFC 3041 was written, and eventually
> obsoleted by RFC 4941. ftp://ftp.rfc-editor.org/in-notes/rfc4941.txt
> Our IPv6 implementation comes with the code to enable this feature,
> but by default it is turned off. My proposal is to enable it by
> default, and give the user a knob in rc.conf to turn it off. I'm
> interested in any arguments y'all might have for or against. To test
> this is pretty simple, add the following to /etc/sysctl.conf:
> net.inet6.ip6.use_tempaddr=1
> net.inet6.ip6.prefer_tempaddr=1
>
> The "normal" EUI-64-based address will still be configured, but there
> will also be a random identifier added to the interface as an alias,
> and outgoing traffic will go out from that address.
>
> In way of comparison, windows starting with XP enables this feature by
> default for clients, and has a knob to enable it for servers. I'd be
> interested to hear what other systems do.
>
>
> Thoughts?
+1. I'm okay with it.
Regards,
--
Rui Paulo
More information about the freebsd-net
mailing list