IPv6 temporary addresses on Workstations

lucasmz · October 31, 2024, 2:49am

Fedora currently does not enable IPv6 temporary addresses from IPv6 privacy extensions.

This is a usually desired feature on desktops, or any other type of user-machine OS. It is on for example on Android, iOS, macOS, Windows… and a few other distros like Ubuntu(?).
This is not a desired feature on servers, as servers are expected to have stable (A.K.A. static) addressing. You wouldn’t want to send a temporary address to DNS via DDNS for example.

Temporary addresses mean that you get a different IPv6 address every 24 hours, this address is then used for outbound connections always, a stable address will still be available; this reduces the ability of long-term tracking via addressing, especially on the cases of stable IPv6 prefixes, which isn’t necessarily rare.

IPv6 temporary addresses aren’t the most advanced anti-tracking feature for IP addresses, but they are quite nice and overall prevent long-term tracking. It isn’t great to have a stable address that can be used to accurately track a single user/machine with that alone.

What do y’all think about this in the context of Workstation images (so anything with a desktop environment)? I think a lot of people aren’t even aware of this, either think they’re using them or don’t know about its existence. This is not even easily toggleable with GNOME, you have to use the terminal, and with KDE you can but you still might think it’d be on by default when it isn’t. Not everyone has IPv6 either.

lucasmz · November 2, 2024, 7:15pm

A few projects downstream to Fedora end up enabling them, like brace and Secureblue.

vgaetera · November 2, 2024, 8:28pm

If anyone wants to test IPv6 privacy, here are ways to enable it globally:

Using NetworkManager:

sudo tee /etc/NetworkManager/conf.d/\
99-ipv6-privacy.conf << EOF > /dev/null
[connection]
ipv6.ip6-privacy=2
EOF
sudo systemctl restart NetworkManager.service

Using sysctl:

sudo tee /etc/sysctl.d/\
99-ipv6-privacy.conf << EOF > /dev/null
net.ipv6.conf.default.use_tempaddr=2
EOF
sudo systemctl restart systemd-sysctl.service
sudo systemctl restart NetworkManager.service

gtb · November 2, 2024, 10:33pm

There are cases where changing IP(v6) addresses causes difficulty in (usually) larger organizations (and with some applications) due to the way they validate/register the system(s) on their network and the (remote) end user.

As long as there is a GUI (button) to enable/disable I don’t have a strong opinion either way as to the default (without a GUI to help people opt-out the default should not change).

lucasmz · November 3, 2024, 1:03am

This seems quite vague, what kind of system would result in this? Because it’d also break on any other operating system… It kind of seems poorly done anyway, using addresses to validate anything is very much a bad expectation. For identifying devices in networks people usually use MACs (and those are randomized on Android for example), for websites, usually tokens… etc.

navras · November 3, 2024, 2:20am

There is also an option in NetworkManager to change it per interface: ipv6.ip6-privacy
https://www.networkmanager.dev/docs/api/latest/nm-settings-nmcli.html

Topic		Replies	Views
Random IP for v6 not assigned (privacy extension not work) Ask Fedora ipv6 , networkmanager , networking	28	184	January 14, 2025
Looking for a real effective method to disable IPv6 permanently Ask Fedora	7	6245	November 22, 2022
IPv6 Privacy Extensions (RFC 4862) are disabled by default Ask Fedora ipv6 , networking	6	12709	January 13, 2025
Servers Struggling to Fetch DHCPv6 Leases Ask Fedora networking	0	234	February 21, 2022
Ipv6 address not resolved Ask Fedora server , f40	20	3343	May 26, 2024

IPv6 temporary addresses on Workstations

Related topics