User:Duxsco/IPv6 privacy extensions and stable-privacy addresses

Note
This article is outdated. The systemd-network configuration, for example, isn't complete and missing "Token" and "IPv6LinkLocalAddressGenerationMode" settings. I update the article, when I have the time.

Introduction

The setup outlined in the following consists of a laptop with =net-wireless/iwd-2.3, =sys-apps/systemd-253.3-r1 and =sys-kernel/gentoo-kernel-6.1.27 with optional use of =net-misc/dhcpcd-9.4.1. Versions are explicitly mentioned, because packages’ behaviour may change in newer versions. In the scenarios, the configuration is tweaked and/or services enabled/disabled to enable IPv6 privacy extensions and/or stable-privacy IPv6 addresses via one tool or the other and prevent MAC address leakage. By default, the MAC address is integrated in the IPv6 address:

https://commons.wikimedia.org/wiki/File:Ipv6_eui64.svg (TODO: embed image and attribute correctly)

Thus, the MAC address 04:6c:59:3c:07:53 leads to the IPv6 address:

2003:f6:7708:8200:66c:59ff:fe3c:0753/64

Kernel options

IPv6 privacy extensions are enabled with:

net.ipv6.conf.wlan0.use_tempaddr = 2

Stable-privacy addresses are enabled with:

net.ipv6.conf.wlan0.addr_gen_mode = 2
net.ipv6.conf.wlan0.stable_secret = d411:d7ec:d01b:e9dd:8588:77f4:f009:e90c

Make sure to generate your own stable_secret as described at:

https://wiki.archlinux.org/title/IPv6#Stable_private_addresses

Custom kernel options are set with sysctl. You get info on the options at:

https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html

Scenario 1: dhcpcd

dhcpcd will be used with the following defaults:

❯ tail -n 5 /etc/dhcpcd.conf

# Generate SLAAC address using the Hardware Address of the interface
#slaac hwaddr
# OR generate Stable Private IPv6 Addresses based from the DUID
slaac private

Deviation from the following kernel defaults is not required:

❯ sysctl -a | grep -e "\.use_tempaddr" -e "\.addr_gen_mode" -e "\.stable_secret" | grep wlan0
net.ipv6.conf.wlan0.addr_gen_mode = 1
net.ipv6.conf.wlan0.use_tempaddr = 0

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	❌	❌

MAC address leaked? NO

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 brd 192.168.0.255 scope global dynamic noprefixroute wlan0
       valid_lft 863983sec preferred_lft 755983sec
    inet6 2003:f6:7708:8200:4bd2:af44:e7ae:40bd/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7179sec preferred_lft 1095sec
    inet6 fe80::d21c:e8f7:81a1:1570/64 scope link
       valid_lft forever preferred_lft forever

Scenario 2: iNet Wireless Daemon (iwd)

The standalone useflag is enabled for net-wireless/iwd. Thus, iwd by default takes care of address handling, but leaves DNS resolution to systemd:

❯ cat /etc/iwd/main.conf
[General]
EnableNetworkConfiguration=true
[Network]
NameResolvingService=systemd

a) Stable-privacy address

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	✅	❌
systemd-networkd	❌	❌

MAC address leaked? YES

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 scope global dynamic noprefixroute wlan0
       valid_lft 863944sec preferred_lft 863944sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/128 scope global dynamic noprefixroute
       valid_lft 7148sec preferred_lft 1571sec
    inet6 fe80::12d:cdb1:6b26:a844/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

b) Temporary IP address

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	✅
systemd-networkd	❌	❌

MAC address leaked? YES

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 scope global dynamic noprefixroute wlan0
       valid_lft 863981sec preferred_lft 863981sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/128 scope global dynamic noprefixroute
       valid_lft 7181sec preferred_lft 1370sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

c) Both

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	✅	✅
systemd-networkd	❌	❌

MAC address leaked? YES

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 scope global dynamic noprefixroute wlan0
       valid_lft 863980sec preferred_lft 863980sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/128 scope global dynamic noprefixroute
       valid_lft 7180sec preferred_lft 1050sec
    inet6 fe80::12d:cdb1:6b26:a844/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Scenario 3: systemd-networkd without DHCPv6 client

systemd-networkd is used with following custom config. Read man 5 systemd.network for detailed info.

❯ cat /etc/systemd/network/wlan0.network
[Match]
Name=wlan0

[Network]
DHCP=ipv4
IPv6PrivacyExtensions=kernel

a) Stable-privacy address

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	✅	❌

MAC address leaked? YES

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 metric 1024 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 863973sec preferred_lft 863973sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7175sec preferred_lft 1209sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

b) Temporary IP address

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	❌	✅

MAC address leaked? NO

4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 metric 1024 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 863977sec preferred_lft 863977sec
    inet6 2003:f6:7708:8200:6005:e170:d57a:a4aa/64 scope global temporary dynamic
       valid_lft 7179sec preferred_lft 1560sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7179sec preferred_lft 1560sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

c) Both

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	✅	✅

MAC address leaked? NO

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 metric 1024 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 863986sec preferred_lft 863986sec
    inet6 2003:f6:7708:8200:4040:7d2c:13fb:a343/64 scope global temporary dynamic
       valid_lft 7189sec preferred_lft 1225sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7189sec preferred_lft 1225sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

Scenario 4: systemd-networkd with DHCPv6 client

systemd-networkd is used with following custom config. Read man 5 systemd.network for detailed info.

❯ cat /etc/systemd/network/wlan0.network
[Match]
Name=wlan0

[Network]
DHCP=yes
IPv6PrivacyExtensions=kernel

a) Stable-privacy address

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	✅	❌

MAC address leaked? YES

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 metric 1024 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 863985sec preferred_lft 863985sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7187sec preferred_lft 1265sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

b) Temporary IP address

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	❌	✅

MAC address leaked? NO

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 metric 1024 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 863339sec preferred_lft 863339sec
    inet6 2003:f6:7708:8200:3f4e:64a3:8fe7:8d10/64 scope global temporary dynamic
       valid_lft 6970sec preferred_lft 1569sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 6970sec preferred_lft 1569sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

c) Both

	“stable-privacy” enabled in kernel config "/etc/sysctl.conf"?	“privacy extensions” enabled in kernel config "/etc/sysctl.conf"?
dhcpcd	❌	❌
iwd	❌	❌
systemd-networkd	✅	✅

MAC address leaked? NO

❯ ip a show dev wlan0
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 04:6c:59:3c:07:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.20/24 metric 1024 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 863844sec preferred_lft 863844sec
    inet6 2003:f6:7708:8200:b4fe:9026:c974:a93f/64 scope global temporary dynamic
       valid_lft 7047sec preferred_lft 1554sec
    inet6 2003:f6:7708:8200:66c:59ff:fe3c:0753/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 7047sec preferred_lft 1554sec
    inet6 fe80::66c:59ff:fe3c:0753/64 scope link
       valid_lft forever preferred_lft forever

Conclusion

Do you want to use stable-privacy addresses?

Apply User:Duxsco/IPv6 privacy extensions and stable-privacy addresses#Scenario 1: dhcpcd

This consists of:

net-misc/dhcpcd with enabled service and default config
No custom /etc/sysctl.conf
No /etc/systemd/network/wlan0.conf

Do you want to use IPv6 privacy extensions?

Apply User:Duxsco/IPv6 privacy extensions and stable-privacy addresses#b.29 Temporary IP address 2

This consists of:

No net-misc/dhcpcd
/etc/sysctl.conf with net.ipv6.conf.wlan0.use_tempaddr = 2
/etc/systemd/network/wlan0.conf with:

[Match]
Name=wlan0

[Network]
DHCP=ipv4
IPv6PrivacyExtensions=kernel

Alternatively, you can use:

No net-misc/dhcpcd
No custom /etc/sysctl.conf
/etc/systemd/network/wlan0.conf with:

[Match]
Name=wlan0

[Network]
DHCP=ipv4
IPv6PrivacyExtensions=true