wiki/content/20220219131642-ipv6.md

---
date: 2022-02-19
id: 516b5872-de3c-4d22-bf28-435778c85516
title: IPv6
---

# Privacy extensions

When a client acquires an address through SLAAC its IPv6 address is
derived from the advertised prefix and the MAC address of the network
interface of the client. This may raise security concerns as the MAC
address of the computer can be easily derived by the IPv6 address. In
order to tackle this problem the IPv6 Privacy Extensions standard (RFC
4941[^1]) has been developed. With privacy extensions the kernel
generates a temporary address that is mangled from the original
autoconfigured address. Private addresses are preferred when connecting
to a remote server so the original address is hidden. To enable Privacy
Extensions reproduce add these lines to /etc/sysctl.d/40-ipv6.conf:

    # Enable IPv6 Privacy Extensions
    net.ipv6.conf.all.use_tempaddr = 2
    net.ipv6.conf.default.use_tempaddr = 2
    net.ipv6.conf.nic0.use_tempaddr = 2
    ...
    net.ipv6.conf.nicN.use_tempaddr = 2

Where `nic0` to `nicN` are your Network Interface Cards. The
`all.use_tempaddr` or `default.use_tempaddr` parameters are not applied
to nic's that already exist when the sysctl settings are executed.

After a reboot, at the latest, Privacy Extensions should be enabled.
NetworkManager should automatically enable `ipv6.ip6-privacy` by reading
`/proc/sys/net/ipv6/conf/default/use_tempaddr`.

# Footnotes

[^1]: <https://tools.ietf.org/html/rfc4941>
Quartz sync: May 6, 2024, 10:40 PM 2024-05-06 20:40:05 +00:00			`---`
Quartz sync: Oct 29, 2024, 7:27 PM 2024-10-29 18:27:12 +00:00			`date: 2022-02-19`
Quartz sync: May 6, 2024, 10:40 PM 2024-05-06 20:40:05 +00:00			`id: 516b5872-de3c-4d22-bf28-435778c85516`
			`title: IPv6`
			`---`

			`# Privacy extensions`

			`When a client acquires an address through SLAAC its IPv6 address is`
			`derived from the advertised prefix and the MAC address of the network`
			`interface of the client. This may raise security concerns as the MAC`
			`address of the computer can be easily derived by the IPv6 address. In`
			`order to tackle this problem the IPv6 Privacy Extensions standard (RFC`
			`4941[^1]) has been developed. With privacy extensions the kernel`
			`generates a temporary address that is mangled from the original`
			`autoconfigured address. Private addresses are preferred when connecting`
			`to a remote server so the original address is hidden. To enable Privacy`
			`Extensions reproduce add these lines to /etc/sysctl.d/40-ipv6.conf:`

			`# Enable IPv6 Privacy Extensions`
			`net.ipv6.conf.all.use_tempaddr = 2`
			`net.ipv6.conf.default.use_tempaddr = 2`
			`net.ipv6.conf.nic0.use_tempaddr = 2`
			`...`
			`net.ipv6.conf.nicN.use_tempaddr = 2`

			Where `nic0` to `nicN` are your Network Interface Cards. The
			`all.use_tempaddr` or `default.use_tempaddr` parameters are not applied
			`to nic's that already exist when the sysctl settings are executed.`

			`After a reboot, at the latest, Privacy Extensions should be enabled.`
			NetworkManager should automatically enable `ipv6.ip6-privacy` by reading
			`/proc/sys/net/ipv6/conf/default/use_tempaddr`.

			`# Footnotes`

			`[^1]: <https://tools.ietf.org/html/rfc4941>`