[Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default

Mon Apr 1 06:32:15 UTC 2013

No the IPv6 system prefers privacy addresses over standard addresses if not
explicitly told otherwise.

Server *userspace software* should tell the system explicitly what it wants
to do so that clients can connect to it.

The problem is with the userspace software, not the IPv6 configuration. It
should be selecting addresses that it requires. Much outbound server
software can benefit from privacy addresses and your solution denies them
that option because of faulty binding in the userspace software.

So I disagree. The problem is userspace software not using the 'hint' IOCTL
in IPv6 address binding to tell the operating system what type of addresses
it requires.

In other words IPv4 thinking in an IPv6 world.

On 31 March 2013 23:26, Tim Heckman <1068756 at bugs.launchpad.net> wrote:

> I don't think you are correct. Here's why: the comments in the file
> mentioned in my original bug report (of which I actually included the
> full contents of the file) state the following:
>
> '2 - prefer privacy addresses and use them over the normal addresses.'
>
> Heavy emphasis on the word prefer. These addresses will be preferred for
> *ALL* IPv6 traffic. This means that for all outbound IPv6 traffic,
> unless explicitly bound, it will use the privacy extension address.
> Which is correct, this is what software *should* do. In addition to
> that, addresses brought up with privacy extension enabled are global
> addresses. So even if said software were to bring use the 'global'
> address they would get the privacy extension address as it is preferred.
> The kernel is working right, the software is working right, the bug is
> that the server image has this enabled by default.
>
> So in short, you're absolutely wrong. The server image should not have
> this enabled, and the software that is communicating over IPv6 is doing
> *exactly* what it should. It's using the preferred IPv6 address.
>
> I'm okay with this being enabled for desktops, but it has *no* place in
> server environments.
>
> -Tim
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1068756
>
> Title:
>   IPv6 Privacy Extensions enabled on Ubuntu Server by default
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions
>

-- 
Neil Wilson

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1068756

Title:
  IPv6 Privacy Extensions enabled on Ubuntu Server by default

Status in “procps” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the
  IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only
  are they enabled, but these addresses are preferred over addresses
  obtained using SLAAC. While is may be considered a reasonable default
  on an image being used on a personal computer, it's not something that
  is sane to have enabled by default in a server environment. Having
  this extension enabled can wreak havoc if you are expecting a specific
  IPv6 address when you know the MAC addresses of your systems
  beforehand.

  The file that is responsible for causing this to be defaulted to
  enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to
  be part of the procps package (as per the output of 'dpkg -S') and
  contains the following:

      # IPv6 Privacy Extensions (RFC 4941)
      # ---
      # IPv6 typically uses a device's MAC address when choosing an IPv6 address
      # to use in autoconfiguration. Privacy extensions allow using a randomly
      # generated IPv6 address, which increases privacy.
      #
      # Acceptable values:
      #    0 - don’t use privacy extensions.
      #    1 - generate privacy addresses
      #    2 - prefer privacy addresses and use them over the normal addresses.
      net.ipv6.conf.all.use_tempaddr = 2
      net.ipv6.conf.default.use_tempaddr = 2

  In short, IPv6 privacy extensions should not be enabled by default
  when deploying an Ubuntu server image. In a server environment you
  should be able to reliably determine your IPv6 address based on the
  MAC address of the system.

  Thank you for taking the time to look in to this as well as consider
  changing the default behavior of Ubuntu server.

  -Tim Heckman

  [0] http://tools.ietf.org/html/rfc4941

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions