major.io words of wisdom from a systems engineer

Enable IPv6 privacy in NetworkManager

1

On most IPv6-enabled networks, network addresses are distributed via stateless address autoconfiguration (SLAAC). That is a fancy way to say that hosts on an IPv6 network will configure their own IP addresses.

The process usually works like this:

  1. The host sends out a router solicitation request: Hey, who is the router around here?
  2. The router replies with a prefix: I am the router and your IPv6 address should start with this prefix.
  3. The host uses its MAC address to generate the remaining bits of the IP address.

The format of the IPv6 address generated by the host is called EUI-64. The host takes its MAC address, wedges FF:FE in the middle, and adds the prefix from the router on the front. For much more detail on this process, review the IEEE’s guidelines for EUI-64. The Arch Linux wiki page on IPv6 has plenty of detail as well.

Time to talk security

While SLAAC works really well on most networks and provides a highly efficient method for dealing with IP addresses, it can disclose more information about your computer or mobile device than you want to disclose. Websites will see the IPv6 address and they can determine the client’s MAC address on networks that are using SLAAC. This could be used for tracking purposes - both legitimate and illegitimate.

Also, bear in mind that the first several bits of a MAC address will often identify the hardware vendor that manufactured your ethernet card or wireless chip. Depending on the vendor, this may expose what type of device you are using (computer or mobile device) and in some cases, which type of computer you are using (Mac vs PC).

In the worst cases, this information could be used to deliver targeted malware to your device. It could also be used to locate or identify a user of a device in a particular location.

Using temporary addresses

Most systems allow for temporary addressing, and some even enable it by default. However, many Linux distributions do not enable temporary addresses by default.

There is a kernel tunable that controls temporary addressing on Linux systems:

# Do not use a temporary address
net.ipv6.conf.all.use_tempaddr = 0
# Set a temporary address, but do not make it the default
net.ipv6.conf.all.use_tempaddr = 1
# Set a temporary address and make it the default
net.ipv6.conf.all.use_tempaddr = 2

NetworkManager can handle this setting as well. Just set the ipv6.ip6-privacy variable to 0, 1, or 2. For example, to enable temporary adrr

nmcli connection modify eth0 ipv6.ip6-privacy 2

NetworkManager will activate this setting immediately and begin using the temporary address as the default.

Caveats

Temporary addresses are built based on the MAC address and a random time string, so they will change from time to time. Avoid using temporary addressing on devices that you regularly access via their IPv6 address, such as servers or other non-mobile systems.

Photo Credit: UnknownNet Photography