On Tue, Jan 27, 2026 at 03:35:16AM +0330, Pouria Mousavizadeh Tehrani wrote: > Hi everyone, > > With `net.inet6.ip6.use_stableaddr` now available, I believe we should > enable it by default in CURRENT at least. > As you may already know, we currently use the EUI64 method for generating > stable IPv6 addresses, which has serious privacy issues. > > IMHO, trying to maintain backward compatibility defeats the purpose of a > privacy RFC. > > To be clear, we don't want to change the ip addresses of existing servers. > However, it's reasonable for users to expect changes during a major upgrade > (15 -> 16), a fresh install of a new major release, or living on CURRENT. > So, for obvious reasons, changing the default value would not be MFCed. > > What do you think?
I think this would be a good step for FreeBSD. In HardenedBSD, we set
net.inet6.ip6.{prefer,use}_tempaddr to 1, which creates completely
random IPv6 addresses (scoped to the prefix, of course).
The one thing I would hope is that support for completely random IPv6
addresses via SLAAC does not go the way of the dodo.
(If net.inet6.ip6.use_stableaddr becomes the default, we will likely
keep it at 0 in favor of the other aforementioned sysctl nodes.)
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
Signal Username: shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
