tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Enabling SLAAC for IPv6 by default
Hi
On 24/09/2018 23:33, Pierre Pronchery wrote:
Hi tech-net@,
during my talk yesterday at EuroBSDCon 2018
(https://2018.eurobsdcon.org/talks-speakers/#PierrePronchery) I
mentioned the SLAAC privacy extensions for IPv6 (RFC 4941). They help
maintain privacy on the Internet when using IPv6, by using a random
address when auto-configuring IPv6 addresses (ie with "ip6mode=autohost"
set in /etc/rc.conf).
This is obviously a big concern, and SLAAC has been enabled by default
in most commercial Operating Systems with support for IPv6 for a while:
- Windows since XP SP1,
- macOS since 10.7,
- iOS since 4.3,
- Android since 4.0,
- And in "some Linux distributions" as well.
(source: https://en.wikipedia.org/wiki/IPv6#SLAAC_privacy_extensions)
It is apparently implemented in the major BSDs, including us. However it
is not enabled by default in NetBSD nor FreeBSD, and from what I can
tell while skimming the sources, not in OpenBSD either. The
corresponding sysctls in NetBSD are "net.inet6.ip6.use_tempaddr" and
"net.inet6.ip6.prefer_tempaddr" by the way.
RFC 4941 Section 3.6:
https://tools.ietf.org/html/rfc4941#section-3.6
The use of temporary addresses may cause unexpected difficulties with
some applications. As described below, some servers refuse to accept
communications from clients for which they cannot map the IP address
into a DNS name. In addition, some applications may not behave
robustly if temporary addresses are used and an address expires
before the application has terminated, or if it opens multiple
sessions, but expects them to all use the same addresses.
Consequently, the use of temporary addresses SHOULD be disabled by
default in order to minimize potential disruptions. Individual
applications, which have specific knowledge about the normal duration
of connections, MAY override this as appropriate.
Roy
Home |
Main Index |
Thread Index |
Old Index