tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Enabling SLAAC for IPv6 by default


On 24/09/2018 23:33, Pierre Pronchery wrote:
			Hi tech-net@,

during my talk yesterday at EuroBSDCon 2018
( I
mentioned the SLAAC privacy extensions for IPv6 (RFC 4941). They help
maintain privacy on the Internet when using IPv6, by using a random
address when auto-configuring IPv6 addresses (ie with "ip6mode=autohost"
set in /etc/rc.conf).

This is obviously a big concern, and SLAAC has been enabled by default
in most commercial Operating Systems with support for IPv6 for a while:
- Windows since XP SP1,
- macOS since 10.7,
- iOS since 4.3,
- Android since 4.0,
- And in "some Linux distributions" as well.

It is apparently implemented in the major BSDs, including us. However it
is not enabled by default in NetBSD nor FreeBSD, and from what I can
tell while skimming the sources, not in OpenBSD either. The
corresponding sysctls in NetBSD are "net.inet6.ip6.use_tempaddr" and
"net.inet6.ip6.prefer_tempaddr" by the way.

RFC 4941 Section 3.6:

   The use of temporary addresses may cause unexpected difficulties with
   some applications.  As described below, some servers refuse to accept
   communications from clients for which they cannot map the IP address
   into a DNS name.  In addition, some applications may not behave
   robustly if temporary addresses are used and an address expires
   before the application has terminated, or if it opens multiple
   sessions, but expects them to all use the same addresses.
   Consequently, the use of temporary addresses SHOULD be disabled by
   default in order to minimize potential disruptions.  Individual
   applications, which have specific knowledge about the normal duration
   of connections, MAY override this as appropriate.


Home | Main Index | Thread Index | Old Index