[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Is the current situation good enough? In the procps package, the default is still "2". Image deployments change that as Scott described in comment #23 (but that was 3y ago, might have changed). I don't know how server installs using the text mode installer behave, it's been a while since I last used it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Hi Christian. Some comments/corrections: 1) On servers privacy extensions are *not* always enabled. As I pointed out in comment #24, if NM is not in use, privacy extensions are only enabled for userspace-created interfaces such as "vlan123". It is *not* enabled by default for physical interfaces such as "eth0". This is inconistent, but at least it's a good default for most people (i.e., those that are using "eth0"). 2) The old bugs #176125 and #841353 concern themselves with the potential leak of information of the user's MAC address. While this was a valid concern in the past, it no longer is. This is because (as I also pointed out in comment #24) NM will by default use RFC7217 interface identifiers. These do not contain the MAC address. Additionally, they will change when moving between networks, preventing tracking. 3) Finally, which has been pointed out by others earlier in the thread, even RFC4941 itself recommends that privacy extensions are disabled by default. Tore -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Thanks Tore for checking so much Details and all the relations to NetworkManager it might have on a Desktop. On a server (no NM) I'd think it is always enabled i'd think. But if that is a bug or not is a"discussion". Just as much as users want it off (here) others want it on - see bug 176125 and bug 841353. I think it is about the best default and control. Reading through these bugs IMHO I see stronger arguments to keep it enabled for now - and since /etc/sysctl.d/10-ipv6-privacy.conf is a conffile it can be adapted if needed. I'd currently be more concerned if disabling in /etc/sysctl.d/10-ipv6-privacy.conf would not switch them off in all of them, but had no time to check. I'll also subscribe cyphermox who worked on enabling that if this becomes more of a discussion. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
In case anyone's interested in knowing why setting net/ipv6/conf/all/use_tempaddr=2 no longer changes the value of pre- existing interfaces (thus ensuring privacy extensions are disabled by default for physical interfaces configured through /etc/network/interfaces), it's because http://kernel.ubuntu.com/git/ubuntu/ubuntu- trusty.git/commit/?id=c999e7dff4570e4c28a0953e7189c0c31343ce62 was dropped from the Ubuntu kernel packages starting with Utopic. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Correction to my previous comment: "disable_ipv6" should of course have read "use_tempaddr" throughout, except for the part about NM bouncing the disable_ipv6 sysctl. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
The situation appears to have improved somewhat in Xenial. The net/ipv6/conf/all/disable_ipv6 sysctl appears to have become a no-op in recent kernels, so when 10-ipv6-privacy.conf gets applied during the bootup sequence (by systemd-sysctl.service) it does *not* change the effective per-device setting for already existing devices (which defaults to 0). However, devices that show up later in the boot process, the 10-ipv6-privacy.conf-set value of net/ipv6/conf/default/disable_ipv6 is inherited, so privacy extensions remain enabled by default for userspace-created devices. Finally, NetworkManager will by default bounce the disable_ipv6 sysctl on devices it's bringing up. That seems to cause the device's use_tempaddr sysctl to be re-inherited from net/ipv6/conf/default/disable_ipv6, ensuring the setting from 10-ipv6-privacy.conf is applied. In summary, the following seems to be true in Xenial: - Physical kernel-plumbed interfaces (e.g., "eth0") managed through interfaces(5): Privacy extensions disabled by default. - Physical kernel-plumbed interfaces (e.g., "eth0") managed through NetworkManager(8): Privacy extensions enabled by default. - User-space created interfaces (e.g., "bond0" or "vlan123"), regardless of management method: Privacy extensions enabled by default. Another thing worth noting is that the version of NetworkManager shipped by Xenial uses RFC7217 Interface IDs by default. These are randomly generated and do not leak MAC addresses, yet they are stable on any given link/network. They will change when the link prefix changes, thus preventing tracking between networks. So where NetworkManager is used, there is IMHO very little rationale remaining for enabling RFC 4941 privacy extensions by default. https://blogs.gnome.org/lkundrak/2015/12/03/networkmanager-and-privacy- in-the-ipv6-internet/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
** Tags added: trusty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
ok. so some updates. Ben fixed this in the cloud image build process via [1] (commit [2]), and limited the change to utopic+. The fix was done by adding a file /etc/sysctl.d/99-cloudimg-ipv6.conf The problem with this change is described in bug 1352255 and bug 994931. If ipv6 addresses are already configured, then setting the 'net.ipv6.conf.all.use_tempaddr' will remove the configured addresses. So to actually fix this right, I suggest that the build proces: * dpkg-divert /etc/sysctl.d/10-ipv6-privacy.conf to /etc/sysctl.d/10-ipv6-privacy.conf.disabled * add a file /etc/sysctl.d/10-ipv6-privacy.conf.README that explains that and how the user could re-enable it (un-dpkg-divert it). -- [1] http://bazaar.launchpad.net/~ubuntu-on-ec2/vmbuilder/automated-ec2-builds/view/head:/live-config/common/hooks/060-ipv6.chroot [2] http://bazaar.launchpad.net/~ubuntu-on-ec2/vmbuilder/automated-ec2-builds/revision/646 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in “cloud-init” package in Ubuntu: Triaged Status in “procps” package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: /etc/sysctl.d/10-ipv6-privacy.conf. This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
interestingly enough, modifying the privacy settings via sysctl has some negative affects if addresses are already up. see diagnosis in bug 1377005 . -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in “cloud-init” package in Ubuntu: Triaged Status in “procps” package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: /etc/sysctl.d/10-ipv6-privacy.conf. This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Just to document additional support. I concur that on a Server install, PE should disabled by default. A server doesn't fall into the use case of needing to protect the privacy of the user. It is meant to be known, not obfuscated. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in “cloud-init” package in Ubuntu: Triaged Status in “procps” package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: /etc/sysctl.d/10-ipv6-privacy.conf. This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
marked this 'triaged' in cloud-init while still not really relevant. Ben Howard has disabled the privacy extensions in cloud images in 14.10, and the plan is to just do the same for 14.04. ** Changed in: cloud-init (Ubuntu) Status: New = Triaged ** Changed in: cloud-init (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in “cloud-init” package in Ubuntu: Triaged Status in “procps” package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: /etc/sysctl.d/10-ipv6-privacy.conf. This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: #0 - don’t use privacy extensions. #1 - generate privacy addresses #2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
