Men and Mice Suite

Versions

Search 7.2 documentation

Search all documentation

Skip to end of metadata
Go to start of metadata

Symptom:

By default, the Ubuntu-Linux network stack for IPv6 does only configure static IPv6 addresses build from the network prefix and the hardware address of the network card (MAC-Address).

Problem:

This IPv6 addresses are stable and will not change over time as long as the network card is not replaced. This can lead to privacy issues, as the static IPv6 address can be tracked by outside parties (external websites).

Solution

The IPv6 standards define an algorithm to generate temporary random IPv6 addresses that are less traceable over time. This is documented in RFC 4941 "Privacy Extensions for Stateless Address Autoconfiguration in IPv6".

In Ubuntu-Linux, privacy extensions for IPv6 are disabled by default. To enable them, edit the file "/etc/sysctl.conf" (as superuser "root", create the file if it does not exist) and add one line per network card that is using IPv6 (here 'eth0'):
net.ipv6.conf.eth0.use_tempaddr=2
To enable this new setting, execute
sudo sysctl net.ipv6.conf.eth0.use_tempaddr=2
sudo /etc/init.d/networking restart
After this step (or on the next reboot), you should see new IPv6 addresses with IPv6 addresses using your IPv6 network prefixes and random host-part bound to your IPv6 enabled network interfaces (privacy addresses in bold below, one public prefix address 2001:db8:100/64 and one unique local ULA address fd34:2e7e:5a30/64 ):

user@box:~ $ ifconfig
eth0      Link encap:Ethernet  HWaddr c8:0a:a9:6a:72:91
          inet addr:192.168.1.35  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd34:2e7e:5a30:0:9f:fc3d:176f:ad9a/64 Scope:Global
          inet6 addr: 2001:db8:100:0:9f:fc3d:176f:ad9a/64 Scope:Global
          inet6 addr: fd34:2e7e:5a30:0:ca0a:a9ff:fe6a:7291/64 Scope:Global
          inet6 addr: 2001:db8:100:0:ca0a:a9ff:fe6a:7291/64 Scope:Global
          inet6 addr: fe80::ca0a:a9ff:fe6a:7291/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:358 errors:0 dropped:0 overruns:0 frame:0
          TX packets:386 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:214309 (214.3 KB)  TX bytes:52597 (52.5 KB)
          Interrupt:42           

What about 'net.ipv6.conf.default.use_tempaddr' and 'net.ipv6.conf.all.use_tempaddr'?

the system configuration key 'net.ipv6.conf.default.use_tempaddr' is being used for all new network interfaces that are attached to the system AFTER this setting has been changed. If this setting is written from the file '/etc/sysctl.conf', it works for network cards that will be attached after the initial boot process (USB Network cards or SD-IO and PC-CARD Network interfaces). In modern Linux systems the '/etc/sysctl.conf' file will be read and applied only after the build-in network cards have been initialized. It is possible to change this setting in the initial ramdisk 'initrd' startscript, but that requires fiddling with the boot process and is not recommended for production machines (it will probably break or being overwritten during an update).

The setting 'net.ipv6.conf.all.use_tempaddr' is supposed to propagate its value to all interfaces currently attached, but this does not work. There are two bug entries in the Linux kernel bug-tracking system for this issue:
https://bugzilla.kernel.org/show_bug.cgi?id=11655
https://bugzilla.kernel.org/show_bug.cgi?id=9224