Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
turris-build
turris-build
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 43
    • Issues 43
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 11
    • Merge Requests 11
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • Turris
  • turris-buildturris-build
  • Issues
  • #54

Closed
Open
Opened Jun 29, 2019 by Ghost User@ghost

[feature suggestion] enhance ipv6 privacy

since it came up in the forum https://forum.turris.cz/t/ipv6-best-practice-questions/10423/3

With RFC 4941 for DHCP and RFC 7217 for SLAAC ipv6 privacy can be enhanced, which though currently is not the default (vanilla medkit).


RFC 7217 for SLAAC - net.ipv6.conf.default.stable_secret

recommends that a stable secret is to be generated during device set up, e.g. something like head -c 16 /dev/urandom | xxd -p | sed "s/..../:&/g; s/://" (requires package xxd) could be utilized.

It would have to be generated and added to sysctl.d (perhaps applied with sysctl -w during setup) prior any iface is setup since 'default' does not apply to any iface already in existence.

net.ipv6.conf.all.stable_secret does not work.


RFC 4941 for DHCP

Acceptable values:
0 - don’t use privacy extensions.
1 - generate privacy addresses
2 - prefer privacy addresses and use them over the normal addresses.

Probably should do for existing and added ifaces

net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
Edited Jun 29, 2019 by Ghost User
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: turris/turris-build#54