The situation appears to have improved somewhat in Xenial. The net/ipv6/conf/all/disable_ipv6 sysctl appears to have become a no-op in recent kernels, so when 10-ipv6-privacy.conf gets applied during the bootup sequence (by systemd-sysctl.service) it does *not* change the effective per-device setting for already existing devices (which defaults to 0).
However, devices that show up later in the boot process, the 10-ipv6-privacy.conf-set value of net/ipv6/conf/default/disable_ipv6 is inherited, so privacy extensions remain enabled by default for userspace-created devices. Finally, NetworkManager will by default bounce the disable_ipv6 sysctl on devices it's bringing up. That seems to cause the device's use_tempaddr sysctl to be re-inherited from net/ipv6/conf/default/disable_ipv6, ensuring the setting from 10-ipv6-privacy.conf is applied. In summary, the following seems to be true in Xenial: - Physical kernel-plumbed interfaces (e.g., "eth0") managed through interfaces(5): Privacy extensions disabled by default. - Physical kernel-plumbed interfaces (e.g., "eth0") managed through NetworkManager(8): Privacy extensions enabled by default. - User-space created interfaces (e.g., "bond0" or "vlan123"), regardless of management method: Privacy extensions enabled by default. Another thing worth noting is that the version of NetworkManager shipped by Xenial uses RFC7217 Interface IDs by default. These are randomly generated and do not leak MAC addresses, yet they are stable on any given link/network. They will change when the link prefix changes, thus preventing tracking between networks. So where NetworkManager is used, there is IMHO very little rationale remaining for enabling RFC 4941 privacy extensions by default. https://blogs.gnome.org/lkundrak/2015/12/03/networkmanager-and-privacy- in-the-ipv6-internet/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1068756 Title: IPv6 Privacy Extensions enabled on Ubuntu Server by default Status in cloud-init package in Ubuntu: Triaged Status in procps package in Ubuntu: Confirmed Bug description: Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only are they enabled, but these addresses are preferred over addresses obtained using SLAAC. While is may be considered a reasonable default on an image being used on a personal computer, it's not something that is sane to have enabled by default in a server environment. Having this extension enabled can wreak havoc if you are expecting a specific IPv6 address when you know the MAC addresses of your systems beforehand. The file that is responsible for causing this to be defaulted to enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to be part of the procps package (as per the output of 'dpkg -S') and contains the following: # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: # 0 - don’t use privacy extensions. # 1 - generate privacy addresses # 2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2 In short, IPv6 privacy extensions should not be enabled by default when deploying an Ubuntu server image. In a server environment you should be able to reliably determine your IPv6 address based on the MAC address of the system. Thank you for taking the time to look in to this as well as consider changing the default behavior of Ubuntu server. -Tim Heckman [0] http://tools.ietf.org/html/rfc4941 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
