6.5. Enable Privacy Extension

Privacy Extension as described in RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (obsoleted RFC 3041) is replacing the static interface ID (mostly based on word-wide unique MAC address) used during autoconfiguration by a pseudo-random one and generating from time to time a new one deprecating the old one.

6.5.1. Enable Privacy Extension using sysctl

Temporary activation

Enable privacy extension for e.g. interface ”eth0” and prefer the generated address:

# sysctl -w net.ipv6.conf.eth0.use_tempaddr=2

Afterwards, restart of the interface is necessary

# ip link set dev eth0 down
# ip link set dev eth0 up

Once a router advertisement is received, the result should look like following

# ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8:0:1:8992:3c03:d6e2:ed72/64 scope global secondary dynamic   <- pseudo-random IID
       valid_lft 604711sec preferred_lft 86311sec
    inet6 2001:db8:0:1::224:21ff:fe01:2345/64 scope global     <- IID based on MAC
       valid_lft 604711sec preferred_lft 86311sec
    ...

Permanent activation

For permanent activation, either a special initscript value per interface will enable privacy or an entry in the /etc/sysctl.conf file like

net.ipv6.conf.eth0.use_tempaddr=2

Note: interface must already exists with proper name when sysctl.conf is applied. If this is not the case (e.g. after reboot) one has to configure privacy for all interfaces by default:

net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2

Changed/added values in /etc/sysctl.conf can be activated during runtime, but at least an interface down/up or a reboot is recommended.

# sysctl -p

6.5.2. Enable Privacy Extension using NetworkManager

Modern (client) systems are using NetworkManager for configuring interfaces. A command line tool is built-in which can be used to change settings which are not available via GUI.

Examples based on version 0.9.9.1-5.git20140319.fc21

Check existing interfaces with:

# nmcli connection 
NAME UUID TYPE DEVICE
ens4v1 d0fc2b2e-5fa0-4675-96b5-b723ca5c46db 802-3-ethernet ens4v1 

Current amount of IPv6 privacy extension addresses can be checked with

# ip -o addr show dev ens4v1 | grep temporary | wc -l
0

Current IPv6 privacy extension settings can be checked with

# nmcli connection show ens4v1 |grep ip6-privacy
ipv6.ip6-privacy: -1 (unknown)

Enable IPv6 privacy extension and restart interface

# nmcli connection modify ens4v1 ipv6.ip6-privacy 2
# nmcli connection down ens4v1; nmcli connection up ens4v1

New IPv6 privacy extension settings can be checked with

# nmcli connection show ens4v1 |grep ip6-privacy
ipv6.ip6-privacy: 2 (active, prefer temporary IP)

Now IPv6 privacy extension addresses are configured on the interface

# ip -o addr show dev ens4v1 | grep temporary | wc -l
2

6.5.3. Test real use of Privacy Extension IPv6 Addresses

Whether the IPv6 address with an Interface ID generated by Privacy Extension is really used for outgoing connections, one can browse to http://ip.bieringer.de/, in case EUI64_SCOPE shows ”iid-privacy”, then everything is working fine.