since it came up in the forum https://forum.turris.cz/t/ipv6-best-practice-questions/10423/3

With RFC 4941 for DHCP and RFC 7217 for SLAAC ipv6 privacy can be enhanced, which though currently is not the default (vanilla medkit).

RFC 7217 for SLAAC - net.ipv6.conf.default.stable_secret

recommends that a stable secret is to be generated during device set up, e.g. something like head -c 16 /dev/urandom | xxd -p | sed "s/..../:&/g; s/://" (requires package xxd) could be utilized.

It would have to be generated and added to sysctl.d (perhaps applied with sysctl -w during setup) prior any iface is setup since 'default' does not apply to any iface already in existence.

net.ipv6.conf.all.stable_secret does not work.

RFC 4941 for DHCP

Acceptable values:
0 - don’t use privacy extensions.
1 - generate privacy addresses
2 - prefer privacy addresses and use them over the normal addresses.

Probably should do for existing and added ifaces

net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2