IPv6 Privacy Extension support?

IPv6 Privacy Extension support?

[Hannes von Haugwitz]

Hello,

I'm running Debian sid and iwd 2.15.

When I enable network configuration and IPv6 in iwd config, the IPv6
address contains the embedded interface identifier (i.e. the MAC
address), even though IPv6 Privacy Extension is enabled for the device
(net.ipv6.conf.wlan0.use_tempaddr = 2).

Do I miss something or is there no support for IPv6 Privacy Extension
in iwd?

Best regards

Hannes

Re: IPv6 Privacy Extension support?

[James Prestwood]

Hi Hannes,

On 3/1/24 6:46 AM, Hannes von Haugwitz wrote:
> Hello,
>
> I'm running Debian sid and iwd 2.15.
>
> When I enable network configuration and IPv6 in iwd config, the IPv6
> address contains the embedded interface identifier (i.e. the MAC
> address), even though IPv6 Privacy Extension is enabled for the device
> (net.ipv6.conf.wlan0.use_tempaddr = 2).
>
> Do I miss something or is there no support for IPv6 Privacy Extension
> in iwd?

I'm not familiar with the privacy extensions specifically, but you can 
enable MAC address randomization which should hide the MAC for you. You 
can check the man pages for more details but in main.conf something like:

[Settings]
AddressRandomization=network
>
> Best regards
>
> Hannes
>

Re: IPv6 Privacy Extension support?

[Hannes von Haugwitz]

Hi,

On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
> I'm not familiar with the privacy extensions specifically, but you can
> enable MAC address randomization which should hide the MAC for you. You can
> check the man pages for more details but in main.conf something like:
> 
> [Settings]
> AddressRandomization=network

MAC address randomization hides the physical MAC address but does not
prevent device tracking (within the same network). With privacy extension
enabled, the IPv6 address is randomly regenerated every few hours.

For more details see [RFC_4941].

Best regards

Hannes

[RFC_4941] https://www.rfc-editor.org/rfc/rfc4941

Re: IPv6 Privacy Extension support?

[Grant Erickson]

On Mar 4, 2024, at 11:32 AM, Hannes von Haugwitz <hannes@vonhaugwitz.com> wrote:
> On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
>> I'm not familiar with the privacy extensions specifically, but you can
>> enable MAC address randomization which should hide the MAC for you. You can
>> check the man pages for more details but in main.conf something like:
>> 
>> [Settings]
>> AddressRandomization=network
> 
> MAC address randomization hides the physical MAC address but does not
> prevent device tracking (within the same network). With privacy extension
> enabled, the IPv6 address is randomly regenerated every few hours.
> 
> For more details see [RFC_4941].
> 
> Best regards
> 
> Hannes

James:

I believe it’s handled in connman with these APIs:

    https://git.kernel.org/pub/scm/network/connman/connman.git/tree/src/ipconfig.c#n528

with the Linux kernel “use_tempaddr” sysctl setting. I assume iwd would have to replicate this infrastructure, or pull it into ELL and share it that way.

Best,

Grant

-- 
Principal
Nuovations

gerickson@nuovations.com
http://www.nuovations.com/

Re: IPv6 Privacy Extension support?

[James Prestwood]

Hi,

On 3/4/24 1:40 PM, Grant Erickson wrote:
> On Mar 4, 2024, at 11:32 AM, Hannes von Haugwitz <hannes@vonhaugwitz.com> wrote:
>> On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
>>> I'm not familiar with the privacy extensions specifically, but you can
>>> enable MAC address randomization which should hide the MAC for you. You can
>>> check the man pages for more details but in main.conf something like:
>>>
>>> [Settings]
>>> AddressRandomization=network
>> MAC address randomization hides the physical MAC address but does not
>> prevent device tracking (within the same network). With privacy extension
>> enabled, the IPv6 address is randomly regenerated every few hours.
>>
>> For more details see [RFC_4941].
>>
>> Best regards
>>
>> Hannes
> James:
>
> I believe it’s handled in connman with these APIs:
>
>      https://git.kernel.org/pub/scm/network/connman/connman.git/tree/src/ipconfig.c#n528
>
> with the Linux kernel “use_tempaddr” sysctl setting. I assume iwd would have to replicate this infrastructure, or pull it into ELL and share it that way.

Hmm, if this is all that's required then shouldn't this already work if 
Hannes is setting "use_tempaddr" externally to IWD? Of course having 
this within an IWD profile setting would be nice, but I think there must 
be more too it than this right?

Thanks,

James

> Best,
>
> Grant
>