Slaac’ing off on ipv6 privacy

IPv6. Yes its a thing, yes you want it, etc. But did you know it can add more tracking footprint to an already highly trackable world?

IPv6 is commonly allocated within a home environment using a protocol called SLAAC (stateless local address auto configuration). Its sort of a fancy way of picking an IP address that is not in use. Now, one of the methods of doing this is to use the MAC address of the Ethernet adapter and merge it into the lower bits of the IP. Great for simplicity, terrible for tracking. Because now not only are you not NAT'd to a single IP (cuz you are on IPv6), but you are handing every web site you go to your hardware address. Nice.

Turns out the grey-beards of the IETF thought about this, and invented a concept called privacy extensions (RFC 3041), with a nice commentary from the internet society on why.

OK, now imagine my surprise when I (for other reasons) checked my IPv6 connectivity today (goto http://ipv6-test.com/ to check yours) and found, horror, that my desktop was using SLAAC and no privacy extensions, and my MAC address was visible to the world.

So why was this? Its not this way on my android devices. To understand, we have to first look at how I configured it 'on'. I set these two sysctl:

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

Seems like it should have worked, right? However, looking at https://bugzilla.kernel.org/show_bug.cgi?id=11655, we can see the issue. My startup is parallel. My external interface (eno1) is created *before* the sysctl.d is parsed. And setting the sysctl doesn't go back and resolve it later.

So the solution is to add

net.ipv6.conf.eno1.use_tempaddr=2

and we are good!

Moral of the story.... 'all' doesn't always mean 'all'. I suggest you go do the test now. If you don't have ipv6 enabled, call your service provider and complain. Its 2017 (for a few more hours), you need some modern IP.

Leave a Reply

Your email address will not be published. Required fields are marked *

*