This is already covered in NetworkManager, there's now a way to
enable/disable privacy extensions locally; but there was an error in
setting it up as enabled by default (I forgot to set it to TRUE when I
included the upstream patch, which defaults it to FALSE).
--
You received this bug
FWIW; this was in patch debian/patches/manage-privacy-extensions.patch;
but the default value for the enable-ip6-privacy property needs to be
TRUE rather than FALSE.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug was fixed in the package network-manager -
0.9.2.0+git201202161854.8572ecf-0ubuntu4
---
network-manager (0.9.2.0+git201202161854.8572ecf-0ubuntu4) precise; urgency=low
[ Gabor Kelemen ]
* debian/network-manager.upstart: Make NM aware of the locale. (LP: #875017)
[
This bug was fixed in the package procps - 1:3.2.8-11ubuntu5
---
procps (1:3.2.8-11ubuntu5) precise; urgency=low
* debian/sysctl.d/10-ipv6-privacy.conf: add a file to sysctl.d to apply the
defaults for IPv6 privacy extensions for interfaces. (LP: #176125, #841353)
-- Mathieu
ew59, please don't assign yourself to bugs unless you plan on directly
working on them ;)
The above upload of procps comes after rather complete and extensive
discussion at UDS Precise (and from the output of the same discussion at
the previous UDS); there's a clear and definite benefit in
** Branch linked: lp:~mathieu-tl/ubuntu/precise/procps/ipv6-privext
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Ubuntu should activate the IPv6 privacy extension by default (echo 2
** Changed in: procps (Ubuntu)
Assignee: (unassigned) = ew59 (w-ewert)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Ubuntu should activate the IPv6 privacy extension by default
@Michael Heimann
yeah, the idea IS to have a workaround for ssh, and only for it (or some other
server-software).
with tempaddr = 2 you have a dynamic and a static ip, and softwares are
using the dynamic by default, if not configured otherwise.
You can surf (more) anonymously, but your
** Changed in: network-manager (Ubuntu)
Assignee: (unassigned) = Mathieu Trudel-Lapierre (mathieu-tl)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Ubuntu should activate the
I believe it would be great to have this feature in the upcoming LTS
release, as the problem affects more and more users in the future,
especially with the 5 year support cycle. I think it's not a big deal
for admins to disable it, while most plain users aren't aware of the
problem nor have the
I also consider this as a serious privacy issue : in my opinion, IPv6 privacy
should be enabled by default, while letting the user/admin disable it if
necessary.
In any case, I agree that the upcoming LTS version is the right moment to make
a decision on that issue
--
You received this bug
So how we deal with this situation in the future? Do we respect privacy
anymore or not? Microsoft seams to be more trustworthy than Linux
nowadays ... What's the problem with this issue?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I think the Ubuntu installer should come with a checkbox option:
[ ] Leave me naked on the Internet and STAB ME IN THE BACK.
Regardless of whether it's checked or unchecked by default, I have a
feeling most people aren't going to want that.
Right now, I'm typing on an operating system where
We need to be encouraging the adoption of IPv6, not disabling it. And
how would it make it possible to count the number of Linux users?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Please, disable IPv6 by default and warn the user of the security
issues, if he wants to enable IPv6. To have an open door by default is
not the best idea IMHO.
Otherwise it has an advantage: We'll be able to easily count the amount
of Linux users in the world in the future ;)
PS: Why is this
@Michael Heimann
if you're using a software which needs long tcp-sessions, you have to either ...
... use the non-PE address, as its stays valid forever (or as long as your
prefix is valid)
... or increase the time the temp-addr is valid
... or deal with the connection-loss from time to time
--
There's a bug for NM not having an IPv6 privacy extension option, see
https://bugzilla.gnome.org/show_bug.cgi?id=633233 (Not that it looks
like much is happening.)
** Bug watch added: GNOME Bug Tracker #633233
https://bugzilla.gnome.org/show_bug.cgi?id=633233
--
You received this bug
@Allo: This whould be a workaround that disables privacy extensions for
one software only instead of deactivating it completly. The bug is with
the privacy extensions and not with ssh. Actually all other software
clients would also suffer under the bug.
@all:
I really can't understand why this is
you nee to use the permanent address as source-address for ssh
man ssh_config
BindAddress
Use the specified address on the local machine as the source
address of the connection. Only useful on
systems with more than one address. Note that this option
Hi, one thing:
net.ipv6.conf.default.use_tempaddr = 2 breaks TCP sessions.
I've been using IPv6 for some time now with this turned on and nearly
all worked BUT: ssh sessions hung after some time. I first expected some
sort of ssh bug since everything else worked but I wiresharked it and
the
I certainly won't have time to implement setting these settings in the
UI for NM for natty, so I'm removing the bug assignment.
** Changed in: network-manager (Ubuntu)
Assignee: Mathieu Trudel-Lapierre (mathieu-tl) = (unassigned)
--
You received this bug notification because you are a
please add it for ubuntu 11.04. I really want to enable ipv6 for the network,
but there will always be machines where privacy-extensions are forgotten, so
its a good default to set them to on by default.
the 2 option adds an unique address as well, so it should not be a problem,
only the
I currently only administer a bunch of small/medium networks (up to 50
machines) and frankly I currently reject/disable any IPv6 on those
networks (makes my life easier since I don't have the time to check if
all devices have proper IPv6 security). But from experiences at previous
jobs I pretend
I guess best idea would be if some (recognised) IPv6 expert spoke up on
this topic.
Well, Ron Broersma did chime in :)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Ubuntu should
I must admit that I hadn't heard Ron's name before but Google tells me
that he definitely has some experiences with IPv6 on large scale
enterprise networks :)
He's got more or less the same arguments you have and I'm still not
entirely convinced (the RFC says so is also not a good reasoning)
Even if it is off by default on every operating system, some users are
invariable going to enable it, and you need to deal with them anyway.
This is exactly the point!
Ron, Derek, I can understand your headache with the privacy extensions
in your scenarios. But you problems are not solved by
I frankly couldn't care less if someone knows my MAC address. The MAC
address of the laptop I'm typing on right now is 00:1e:c2:c0:52:e3.
What does that get you? Not much.
If you're concerned about being tracked across the Internet, your IP
address is probably the least of your concerns. Have
I don't buy the enterprise argument flowing through this discussion:
* What kind of enterprise network are you running where you don't
control the clients and can't disable privacy extensions?
* If you want to make sure nobody uses privacy extensions on your net,
just reject all outgoing
My enterprise is a large research university in North America. We
control University owned machines, but student-owned machines are a
different matter.
I'm not certain that filtering privacy addresses at the border is
sufficient. I'd need to check with our security office, but I suspect
we'd also
I do not think users will be very happy when they discover that they are
globally trackable when IPv6 is enabled.
The RFC solves the problem of being trackable within a site, when the big
problem is being trackable between sites.
Unfortunately it is the only mechanism available at the moment,
Please DO NOT enable privacy extensions by default. For enterprise
networks, this causes serious headaches, and is a very bad idea. There
are good reasons why the RFC says this should be disabled by default.
It impacts address management, DNS updates, forensics in response to
incidents, ability
Philipp,
That's not what I said (that's what tonfa said in reply to my note). At
many higher education institutions, we have policies that we need to
know who is using any given IP address at any point in time. Privacy
addresses make this much, much harder. Yes, we can disable them on
managed
At many higher education institutions, we have policies that we need to know
who is using any given IP address at any point in time.
If this was to control access, couldn't you just make a separate /64 for
unmanaged computers and filter based on that? I can see how you might want to
know who
On Jan 18, 2011 9:46 PM, Erik B. Andersen erik.b.ander...@gmail.com
wrote:
At many higher education institutions, we have policies that we need to
know who is using any given IP address at any point in time.
If you *need* to know, and computer are self-managed, then the fact that
privacy
I am of the opinion that this should be turned on by default.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Ubuntu should activate the IPv6 privacy extension by default (echo 2
I would like to see the default be private. However, the best way to
accomplish this is still not entirely clear. Probably the udev rule
makes the most sense, but if ipv6 is up early enough, sysctl would be
sufficient.
It does sound like network-manager would be required to have a toggle,
though,
I'm assigning the NM bug task to myself to work on allowing users to
toggle this setting.
Note that privacy extensions only really affect autogenerated addresses
(or at least, that's what I got out of my quick read of RFC 4941). It's
a nice and useful feature for users in general when dealing
Erik, the issue isn't access control. It's logging and compliance. If
someone uses our network to break the law, we need to be able to
identify the responsible person. Privacy addresses are directly at odds
with this requirement. Leaving them off by default isn't a 100%
solution, but it helps a
The method described in Post #28 doesn't work for me, the method in Post
#14 does. I'm using Ubuntu Maverick 10.10 x64.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/176125
Title:
Ubuntu should
Could this get reevaluated for natty?
Recent kernels have IPv6 enabled by default and with IPv6 day coming up
(http://www.ipv6day.org/) and major providers here in germany having
announced to enable IPv6 in 2011 this is turning into a much more
important issue than back in 2007!
--
You received
I guess it would make more sense to add an option to NetworkManager
where you can enable or disable this flag. NetworkManager could enable
it per default then.
If this was implemented I'd even go one step further:
* Set /proc/sys/net/ipv6/conf/all/accept_ra to 0 per default (if I setup a
server
There's an article which describes a simple method to activate it:
http://www.heise.de/netze/hotline/IPv6-anonym-1100727.html
Just add a line to your /etc/udev/rules.d/70-persistent-net.rules:
SUBSYSTEM==net, ACTION==add, DRIVERS==?*, ATTR{dev_id}==0x0,
ATTR{type}==1, KERNEL==eth*, RUN+=sysctl
Whoopie, did you try that? Either I've done something wrong or that
doesn't work. At least it didn't work on my machine running maverick.
I would prefer enabling Privacy Extensions by default. As Derek Morr
said before, if you manage an enterprise network you have the knowledge
and the ability to
** Tags added: ipv6 privacy
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
OK, that mess is unrelated, IPv6 network here is under construction..
there are really so many radvds around
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug
I am having trouble with ipv6 after upgrade to maverick... a ton of
addresses is assigned instead of 2 (and it does not work)
inet (addr) brd (addr) scope global eth0
inet6 2002:(addr)/64 scope global temporary deprecated dynamic
inet6 2002:(addr)/64 scope global deprecated dynamic
oh.. nevermind.. it is 6to4, I hope by admins, not by networkmanager on
my ubuntu computer
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are
** Changed in: procps (Ubuntu)
Importance: Undecided = Wishlist
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are a member of Ubuntu
Bugs,
So here's the dilemma:
Either we enable it by default (like Windows 7 does, btw!) and take a few risks
(networks are harder to debug, difficulties with applications, etc.) or we
disable it and lessen privacy for end-users.
I'd prefer the second option, but only if we had a way of disabling it
Speaking from an enterprise network perspective, I very much do *not*
want to see privacy addresses enabled by default, as they can make
complying with our network security policies much more difficult.
In terms of demographics, Ubuntu doesn't have nearly the market share in the
enterprise as
RFC 4941, Section 3.6, says that temporary addresses should be disabled
by default.
Speaking from an enterprise network perspective, I very much do *not*
want to see privacy addresses enabled by default, as they can make
complying with our network security policies much more difficult.
--
On Fri, Apr 10, 2009 at 03:00:28PM -, Derek Morr wrote:
RFC 4941, Section 3.6, says that temporary addresses should be disabled
by default.
ACK, does Vista still does it by default ?
Speaking from an enterprise network perspective, I very much do *not*
want to see privacy addresses
I *have* read both, and the arguments from RFC 3041 Considered Harmful-draft
have been
dealt with in RFC4941, Section 7. So there does not seem to be a reason for
disabling the privacy extension.
In fact, the arguments form the Considered Harmful-draft are, in some
sense, not valid -- the
Updated links:
* RFC4941 (obsoletes RFC3041), written in September 2007:
http://tools.ietf.org/html/rfc4941
* RFC 3041 Considered Harmful Internet Draft, written in June 2004, expired
December 2004:
http://tools.ietf.org/html/draft-dupont-ipv6-rfc3041harmful-05
Because the RFC 3041
And you're sure that this file is processed after interfaces are going up?
I was asking, because I've no clue..
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug
I've tried that.
Error messages like: Error: net.ipv6.conf.xxx.xxx is an unknown key
have just moved to next line when booting..
Files /etc/sysctl.d/nn-*.conf are loaded immediately after /etc/sysctl.conf
Numbers (nn) are only for adjusting execution order.
note: This probably won't change
@MMlosh
To workaround this, I added ipv6 to /etc/modules
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are a member of Ubuntu
Bugs, which is
:(
Loading ipv6 module removes failed messages when booting
and sets properly net.ipv6.conf.xxx.xxx variables, but address is still from
MAC...
Maybe it's just wrong radvd configuration... I've no clue.
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
The way I got it to right (didn't reboot since some time so I'm not sure
it's still ok):
net.ipv6.conf.wlan0.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
in /etc/sysctl.conf
and ipv6
in /etc/modules
After that,
I was missing that line with eth0, thanks This behavior does not
look like intended (all should IMHO set this variable for all
interfaces and default should do that for new interfaces...)
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
On Tue, Nov 25, 2008 at 06:15:02PM -, MMlosh wrote:
I was missing that line with eth0, thanks This behavior does not
look like intended (all should IMHO set this variable for all
interfaces and default should do that for new interfaces...)
I agree, but it doesn't seem to work and I
There is a possibility to use /etc/sysctl.d/10-network-security.conf
I'm not sure if it won't be too late here. But these rules should be processed
after regular sysctl rules...
Am I right?
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
There is a possibility to use /etc/sysctl.d/10-network-security.conf (Ubuntu
8.10 Intrepid and up only)
I'm not sure if it won't be too late here. But these rules should be processed
after regular sysctl rules...
Am I right?
--
Ubuntu should activate the IPv6 privacy extension by default
I think we want it to be executed after ipv6 is loaded and before any
interface is up.
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are a
Can the privacy extension be listed in /etc/sysctl.conf but commented
out by default?
putting sysctl -w net.ipv6.conf.all.use_tempaddr=2 in /etc/rc.local
seemed to get it working on 8.04.1 for me.
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
RFC 3041 is not without controversy. For example, see RFC 3041
Considered Harmful (an Internet-Draft and thus work in progress; I
could only find an expired copy, but haven't found a reason why the
underlying issues should have expired):
http://www.6net.org/publications/standards/draft-dupont-
Anyway for this sysctl change to work, ipv6 has to be loaded (in /etc/modules)
before the sysctl change and it is too late to change that for hardy.
(unless you know how to have some sysctl affect a not yet loaded module, for
example with some udev magic ?)
--
Ubuntu should activate the IPv6
** Changed in: procps (Ubuntu)
Status: New = Confirmed
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are a member of Ubuntu
Bugs,
I agree that this should be turned on by default. For any entry in the
net.ipv4.conf or net.ipv6.conf trees I believe both .all and
.default should be set to achieve the desired effect. In this case
the proper sysctl.conf settings are:
net.ipv6.conf.all.use_tempaddr=2
I too think this should be the default policy, there is no good reason to
expose your MAC-address to the world.
But adding net.ipv6.conf.all.use_tempaddr=2 to /etc/sysctl.conf was not enough
to get it working on my Ethernet interface from boot.
I also had to add
If that helps, windows uses those temporary addresses by default when
using ipv6.
--
Ubuntu should activate the IPv6 privacy extension by default (echo 2
/proc/sys/net/ipv6/conf/all/use_tempaddr)
https://bugs.launchpad.net/bugs/176125
You received this bug notification because you are a member
71 matches
Mail list logo
