Re: Enabling SLAAC for IPv6 by default

[Roy Marples <roy%marples.name@localhost>]

Hi

On 24/09/2018 23:33, Pierre Pronchery wrote:
> 			Hi tech-net@,
>
> during my talk yesterday at EuroBSDCon 2018
> (https://2018.eurobsdcon.org/talks-speakers/#PierrePronchery) I
> mentioned the SLAAC privacy extensions for IPv6 (RFC 4941). They help
> maintain privacy on the Internet when using IPv6, by using a random
> address when auto-configuring IPv6 addresses (ie with "ip6mode=autohost"
> set in /etc/rc.conf).
>
> This is obviously a big concern, and SLAAC has been enabled by default
> in most commercial Operating Systems with support for IPv6 for a while:
> - Windows since XP SP1,
> - macOS since 10.7,
> - iOS since 4.3,
> - Android since 4.0,
> - And in "some Linux distributions" as well.
> (source: https://en.wikipedia.org/wiki/IPv6#SLAAC_privacy_extensions)
>
> It is apparently implemented in the major BSDs, including us. However it
> is not enabled by default in NetBSD nor FreeBSD, and from what I can
> tell while skimming the sources, not in OpenBSD either. The
> corresponding sysctls in NetBSD are "net.inet6.ip6.use_tempaddr" and
> "net.inet6.ip6.prefer_tempaddr" by the way.

RFC 4941 Section 3.6:
https://tools.ietf.org/html/rfc4941#section-3.6

   The use of temporary addresses may cause unexpected difficulties with
   some applications.  As described below, some servers refuse to accept
   communications from clients for which they cannot map the IP address
   into a DNS name.  In addition, some applications may not behave
   robustly if temporary addresses are used and an address expires
   before the application has terminated, or if it opens multiple
   sessions, but expects them to all use the same addresses.
   Consequently, the use of temporary addresses SHOULD be disabled by
   default in order to minimize potential disruptions.  Individual
   applications, which have specific knowledge about the normal duration
   of connections, MAY override this as appropriate.

Roy