From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QUlqb-0002Je-Pc for garchives@archives.gentoo.org; Thu, 09 Jun 2011 20:28:58 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C6E251C1FD; Thu, 9 Jun 2011 20:26:41 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 5D35B1C1FD for ; Thu, 9 Jun 2011 20:26:41 +0000 (UTC) Received: by wyi11 with SMTP id 11so1869607wyi.40 for ; Thu, 09 Jun 2011 13:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:reply-to:to:subject:date:user-agent :references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=NKZ3fI080TKdtpVqqbv4CBkXFhNEgngvsnH6edGN6ZA=; b=agPJpK98SQCeU9R13zIKibgvThU63HLd/r7fbeABNAmavmM7wov2tlpjZlJqI+Brqu eD25i6NM2Oz9SKiydUVOWvyNTHaN+BviGu07s7SSdSzT3TNMVd9/GW39EiUH9EeQ1tiT u2XFCMu8psyPzOjhgZHgjlPJ+e7HANOkHGAcc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=Wzd1shQPen+6YZQoVx+fkToWJaqQx1xudLBqi9yQaIKr5dXECRzs0TBG/MOUKDYWVO bJFeptT4FrtFTcsUabp69q58L1Qx0dGWlh7utjWQkCXn9PyQvEB/wlaPaJWjEGouG5gw Cw2FRGzwJ0ndNnge5q0xfIwiVY38IhK7qVLsY= Received: by 10.216.235.22 with SMTP id t22mr1613940weq.89.1307651200615; Thu, 09 Jun 2011 13:26:40 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id r20sm1045273wec.31.2011.06.09.13.26.38 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 09 Jun 2011 13:26:39 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPv6 not ready here; Hmmm Date: Thu, 9 Jun 2011 21:27:06 +0100 User-Agent: KMail/1.13.7 (Linux/2.6.38-gentoo-r6; KDE/4.6.2; x86_64; ; ) References: <4DEED011.90907@gmail.com> <201106090646.54905.michaelkintzios@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2564200.ZrxJvYUOmC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201106092127.19636.michaelkintzios@gmail.com> X-Archives-Salt: X-Archives-Hash: a5017780b22d7efb5b5a0c79ee835609 --nextPart2564200.ZrxJvYUOmC Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thursday 09 Jun 2011 16:51:29 Paul Hartman wrote: > On Thu, Jun 9, 2011 at 12:46 AM, Mick wrote: > >> BTW, Windows Vista and 7 generate randomized host IDs for public IPv6 > >> addresses, it's generally advised to disable that. You can do that by > >> running this at administrator cmd prompt: > >> netsh interface ipv6 set global randomizeidentifiers=3Ddisabled > >=20 > > I was looking at the same in the Linux kernel scratching my head if I > > should enable this or not ... > >=20 > > What does it do - not sure I understand what such temporary addresses a= re > > used for: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > IPv6: Privacy Extensions (RFC 3041) support >=20 > > CONFIG_IPV6_PRIVACY: > Sorry, I described the problem poorly. More specifically I should have > said that it should be disabled because Windows does it /wrong/. :) >=20 > In IPv6, link-local address is required (begins with fe80::) even when > an internet-routable address exists. It is derived from your network > prefix and your MAC address. Normally, the public IPv6 address also > contains your MAC address. Every IPv6 interface is going to have at > least 2 different addresses. >=20 > Imagine a world where IPv6 is everywhere. You take your laptop home, > to the cafe, to work, to a hotel on a business trip. Despite using > different networks in each place, your MAC address will tie them all > together. The governments and corporations are tracking this and now > know even more about you. At least, that's what people worry about. >=20 > In Linux, enabling the privacy extensions adds an additional, > temporary IPv6 address to the interface, with a randomized "MAC" part, > and it changes regularly (every hour or two? something like that). The > link-local address still contains the MAC-based IPv6 address, and the > standard routable IPv6 address is also available but not used by > default for outgoing connections. So, inside your network, things are > predictable and unchanging, which makes management of clients, routing > of traffic, firewall rules, etc. easier to deal with. To the outside > world, your IP address is constantly changing and can't be used to > track you as easily as it would be if the MAC portion of the address > were consistent. >=20 > In Windows, however, when that option is enabled, they wrongly > randomize ALL of the addresses, even the local, rather than just > creating a temp random public address. Which means every time that > machine reboots it's going to look like a new client on the local > network, and any local network setup you have pertaining to a certain > IP are going to be a pain to maintain. Depending on your usage, maybe > that doesn't matter, but in general, on Windows machines, it's > considered a buggy implementation and is undesired. >=20 > In Linux, it should be absolutely fine to use. In your > /etc/sysctl.conf you can add these lines to enable it on every > interface by default, assuming you enabled in your kernel config: >=20 > net.ipv6.conf.all.use_tempaddr =3D 2 > net.ipv6.conf.default.use_tempaddr =3D 2 Excellent explanation! Thank you. :-) Now was it that difficult to add a couple of meaningful lines in the kernel= =20 documentation, so that any other than the kernel hacker who wrote that modu= le=20 would learn that its there to anonymise your ipv6 address for privacy=20 purposes? I take it that loading this module would cut both ways. If I were to allow= =20 connections to my server only for *my* IP address, then that would be quite= =20 difficult to achieve if my IP address changed every few minutes. =2D-=20 Regards, Mick --nextPart2564200.ZrxJvYUOmC Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEABECAAYFAk3xLKcACgkQVTDTR3kpaLYNzACgr1SWSDnBbAFcVwiCnlMoxGGI ivQAoO88NYuM7xVnO11eq/ruiV8uRVKK =nESn -----END PGP SIGNATURE----- --nextPart2564200.ZrxJvYUOmC--