Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support stable private IPv6 addresses #166

Closed
michaelbeaumont opened this issue Jan 23, 2019 · 4 comments
Closed

Support stable private IPv6 addresses #166

michaelbeaumont opened this issue Jan 23, 2019 · 4 comments

Comments

@michaelbeaumont
Copy link

Aka RFC7217, supported for example in NetworkManager
@joukewitteveen
Copy link
Owner

Could you give some more details? When would this be most useful? How should this be configured without any network manager? A quick search revealed that /proc/sys/net/ipv6/*/stable_secret is the meat of the implementation of the RFC.

@michaelbeaumont
Copy link
Author

michaelbeaumont commented Jan 23, 2019
edited
Loading

I'm not totally sure myself how it's managed or implemented, but it appears to be implemented in the kernel with
addr_gen_mode.

I don't think NetworkManager does it this way, seeing as how my NetworkManager interfaces are set addr_gen_mode=1 and are nevertheless set using stable secret.

I'm not overly knowledgeable here, but can we just set sysctl net.ipv6.conf.<if>.addr_gen_mode=3 on the interface?

EDIT: Yes, we can, which of course means it's probably not something that needs to be handled at all by netctl 😁

@joukewitteveen
Copy link
Owner

Sure, netctl could set addr_gen_mode. The question is when should it do so. What are the IP6= settings for which it makes sense? What additional parameters do we need/want (and document)?
I can already see many levels of randomized addresses:

  • random addresses (via use_tempaddr?)
  • stable random addresses (addr_gen_mode=3?)
  • stable random addresses with a controlled key (should netctl touch stable_secret?)

If any of these settings are to be exposed by netctl, they should be exposed using meaningful names and settings. Not via cryptic names and numeric constants.

All of this could also be controlled via stable sysctl settings, see for instance the Arch Wiki. This is not profile-specific, so there is a use case for these settings in netctl. Note, though, that stateless address privacy is meant to transcend profiles!

@michaelbeaumont
Copy link
Author

I originally asked because I hadn't found addr_gen_mode and knew that NM was setting it some other way. But setting addr_gen_mode to 2/3 for the entire interface works fine for me. I.e. my use case is covered without needing to change netctl.
I think your last point is important, profile specific settings are not the way to go 99% of the time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joukewitteveen @michaelbeaumont