GNOME Bugzilla – Bug 721200
Provide global configuration for IPv6 Privacy Extensions
Last modified: 2015-06-05 12:34:34 UTC
When creating a new connection which does not explicitly set the privacy extensions, the configuration value is left unset. This effectively means that privacy extensions are disabled. To protect myself, I now need to remember to enable privacy extensions for each and every connection, which is especially annoying for WiFi connections, where new connections are added regularly. It should be possible to globally configure this, so that I can decide once and for all that I want the privacy extensions to be enabled for all connections. It would be even better if the default of that global value was "privacy enabled" ;-)
Has any progress happened with this issue? Earlier today I moved from wicd to NetworkManager and wondered why IPv6 Privacy extensions were disabled by default after connecting to my primary WLAN network. I also tried connecting to guest network and saw the same thing. I also failed to find any kind of global switch for enabling privacy extensions which is what this issue is about. I then wondered if it was just me or Antergos so I asked on both support channels at IRC and on #archlinux I was advised to report upstream bug and I found this issue. IPv6 Privacy Extensions were made so people cannot be tracked by MAC address which is visible in the IPv6 address without privacy extensions, so I believe **this bug is quite serious**.
Created attachment 301747 [details] [review] libnm/doc: document behavior of setting ip6-privacy in /etc/sysctl.conf
Created attachment 301748 [details] [review] device: add global configuration parameter for ip6-privacy (use_tempaddr, RFC4941)
how about https://bugzilla.gnome.org/show_bug.cgi?id=695383#c4 ?
Pushed th patches from comment 2 and comment 3 to branch "th/default-ip6-privacy-bgo721200" Add a 3 patch that reworks patch #2 heavily. If we agree on that third patch, it would be squashed with the 2nd.
Comment 3 looks good to me and I think it's what is being asked. Ability to have default option which is used when the network specific value is default. On sysctl, I think that it's not working correctly as it's either ignoring everything in /etc/sysctl.d or not understanding interfaces named eno1 and wlo1. I hope I am wrong about this, but to me it appears that by default there are no privacy extensions. My /etc/sysctl.d/60-mikaela.conf includes net.ipv6.conf.eno1.use_tempaddr=2 and net.ipv6.conf.wlo1.use_tempaddr=2 where 2 should mean using privacy extensions and preferring them over the SLAAC address.
(In reply to Mikaela Suomalainen from comment #6) > Comment 3 looks good to me and I think it's what is being asked. Ability to > have default option which is used when the network specific value is default. > > On sysctl, I think that it's not working correctly as it's either ignoring > everything in /etc/sysctl.d or not understanding interfaces named eno1 and > wlo1. I hope I am wrong about this, but to me it appears that by default > there are no privacy extensions. NM only looks only into in /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf for a "net.ipv6.conf.default.use_tempaddr". If such a key exists, it always takes precedence. Other sysctl values/files are ignored. > My /etc/sysctl.d/60-mikaela.conf includes net.ipv6.conf.eno1.use_tempaddr=2 > and net.ipv6.conf.wlo1.use_tempaddr=2 where 2 should mean using privacy > extensions and preferring them over the SLAAC address. This file and these keys are ignored by NM.
> NM only looks only into in /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf for a "net.ipv6.conf.default.use_tempaddr" Thanks, I wasn't aware of this option. > This file and these keys are ignored by NM. And this seems like a bug to me, at least ignoring the file as if I have understood correctly, you aren't supposed to edit /etc/sysctl.conf, but leave it for the distribution or packages to manage (or why does sysctl.d exist?).
(In reply to Mikaela Suomalainen from comment #8) > > NM only looks only into in /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf for a "net.ipv6.conf.default.use_tempaddr" > > Thanks, I wasn't aware of this option. > > > This file and these keys are ignored by NM. > > And this seems like a bug to me, at least ignoring the file as if I have > understood correctly, you aren't supposed to edit /etc/sysctl.conf, but > leave it for the distribution or packages to manage (or why does sysctl.d > exist?). I think we look at /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf for legacy reasons. We don't fully parse all related options (net.ipv6.conf.eno1.use_tempaddr) or files (/etc/sysctl.d/60-mikaela.conf). Maybe that should be improved to parse sysctl better, but it would be a change in behavior. Also, IMO sysctl is not our preferred way to configure this option.
> Maybe that should be improved to parse sysctl better, but it would be a change in behavior. Also, IMO sysctl is not our preferred way to configure this option. What is your preferred way? If I understood correctly you are currently disabling privacy extensions globally which is a bad thing and require the user to enable them per-network basis. This issue has also been open since 2013 so I don't think this is the current preferred way either.
In my opinion (only): The preferred way is from comment 5: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=th/default-ip6-privacy-bgo721200&id=5782b678748ef589a22fdd57ab13f27d8cc74180 - still interpret sysctl files as we use to (not to change behavior). - then prefer per-connection setting - as last option, have a global configuration option ("default-setting-ipv4.ip6-privacy" if the per-connection value is -1.
Ok, I redid the scheme with a default-configuration in NetworkManager.conf. Let's put this on hold, until that is resolved so that we have a best-practice how to specify default configuration values. https://bugzilla.gnome.org/show_bug.cgi?id=695383#c5
Ok, 3 attempt. Rebased on top of th/connection-defaults-bgo695383 (bug 695383)
merged to master as: http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=18ecf48d7a9d03194db1b65ef46e386284426f89 now, if you leave the connection setting ipv6.ip6-privacy=-1, we fallback to the setting from NetworkManager.conf: [connection] ipv6.ip6-privacy= If that setting is also missing, we read /proc/sys/net/ipv6/conf/default/use_tempaddr We no longer read /etc/sysctl.conf and /lib/sysctl.d/sysctl.conf, so this is a change in behavior.