[Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Neil Wilson
neil at aldur.co.uk
Fri May 17 06:13:09 UTC 2013
>From 'include/linux/in6.h'
/* RFC5014: Source address selection */
#define IPV6_ADDR_PREFERENCES 72
#define IPV6_PREFER_SRC_TMP 0x0001
#define IPV6_PREFER_SRC_PUBLIC 0x0002
#define IPV6_PREFER_SRC_PUBTMP_DEFAULT 0x0100
#define IPV6_PREFER_SRC_COA 0x0004
#define IPV6_PREFER_SRC_HOME 0x0400
#define IPV6_PREFER_SRC_CGA 0x0008
#define IPV6_PREFER_SRC_NONCGA 0x0800
so you need to call
setsockopt(socket, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, &value, sizeof(value)).
Where value=IPV6_PREFER_SRC_PUBLIC
On 16 May 2013 23:24, Jason Eggleston <jason at eggnet.com> wrote:
>
> I can confirm all of the security addresses by default are marked
> Global. There is no application level workaround for this.
>
> $ ifconfig eth0 | awk '/inet6/ {print $1,$2,"ipv6addr",$4}'
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Link
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Global
> inet6 addr: ipv6addr Scope:Global
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1068756
>
> Title:
> IPv6 Privacy Extensions enabled on Ubuntu Server by default
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions
--
Neil Wilson
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1068756
Title:
IPv6 Privacy Extensions enabled on Ubuntu Server by default
Status in “procps” package in Ubuntu:
Confirmed
Bug description:
Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the
IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only
are they enabled, but these addresses are preferred over addresses
obtained using SLAAC. While is may be considered a reasonable default
on an image being used on a personal computer, it's not something that
is sane to have enabled by default in a server environment. Having
this extension enabled can wreak havoc if you are expecting a specific
IPv6 address when you know the MAC addresses of your systems
beforehand.
The file that is responsible for causing this to be defaulted to
enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to
be part of the procps package (as per the output of 'dpkg -S') and
contains the following:
# IPv6 Privacy Extensions (RFC 4941)
# ---
# IPv6 typically uses a device's MAC address when choosing an IPv6 address
# to use in autoconfiguration. Privacy extensions allow using a randomly
# generated IPv6 address, which increases privacy.
#
# Acceptable values:
# 0 - don’t use privacy extensions.
# 1 - generate privacy addresses
# 2 - prefer privacy addresses and use them over the normal addresses.
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
In short, IPv6 privacy extensions should not be enabled by default
when deploying an Ubuntu server image. In a server environment you
should be able to reliably determine your IPv6 address based on the
MAC address of the system.
Thank you for taking the time to look in to this as well as consider
changing the default behavior of Ubuntu server.
-Tim Heckman
[0] http://tools.ietf.org/html/rfc4941
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions
More information about the foundations-bugs
mailing list