[Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default
Alex Bligh
ubuntu at alex.org.uk
Wed Jun 4 10:13:54 UTC 2014
In my view this is NOT a software bug, its an OS bug.
Here's a completely different why this causes problems.
We use Ubuntu UEC images. There are no meaningful privacy considerations
here because we generate both the MAC address and the IP address of the
servers concerned. IE, if the machine is mobile and changes IP address,
it changes MAC address too.
We build firewall rules automatically for the machine. These are applied
outside of the machine (on the router). In order to write the rules
correctly, we need to know the IPv6 address the machine will have, and
use EUI-64 addressing to do this.
Equally, for the server to get metadata on a boot, both the IP address
needs to be correct (and no, that's not the only thing that is checked).
On UEC randomisation of addresses thus prevents getting metadata over
IPv6. This is only 'not a killer problem' as most people have IPv4 too.
In a server environment (particularly on cloud images) there is no need
whatsoever to have RFC4941 turned on by default.
As Brian Candler wrote, the RFC says this should be disabled by default.
It also says:
Devices implementing this specification MUST provide a way for the
end user to explicitly enable or disable the use of temporary
addresses. In addition, a site might wish to disable the use of
temporary addresses in order to simplify network debugging and
operations. Consequently, implementations SHOULD provide a way for
trusted system administrators to enable or disable the use of
temporary addresses.
On a cloud image, the user can't even administer his own machine until
it has booted, which in a full IPv6 environment requires it to get
metadata. For the reasons above, this prevents that from working.
Therefore at least on UEC images, RFC4941 should be turned off by
default and EUI-64 addresses only should be used.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1068756
Title:
IPv6 Privacy Extensions enabled on Ubuntu Server by default
Status in “procps” package in Ubuntu:
Confirmed
Bug description:
Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the
IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only
are they enabled, but these addresses are preferred over addresses
obtained using SLAAC. While is may be considered a reasonable default
on an image being used on a personal computer, it's not something that
is sane to have enabled by default in a server environment. Having
this extension enabled can wreak havoc if you are expecting a specific
IPv6 address when you know the MAC addresses of your systems
beforehand.
The file that is responsible for causing this to be defaulted to
enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to
be part of the procps package (as per the output of 'dpkg -S') and
contains the following:
# IPv6 Privacy Extensions (RFC 4941)
# ---
# IPv6 typically uses a device's MAC address when choosing an IPv6 address
# to use in autoconfiguration. Privacy extensions allow using a randomly
# generated IPv6 address, which increases privacy.
#
# Acceptable values:
# 0 - don’t use privacy extensions.
# 1 - generate privacy addresses
# 2 - prefer privacy addresses and use them over the normal addresses.
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
In short, IPv6 privacy extensions should not be enabled by default
when deploying an Ubuntu server image. In a server environment you
should be able to reliably determine your IPv6 address based on the
MAC address of the system.
Thank you for taking the time to look in to this as well as consider
changing the default behavior of Ubuntu server.
-Tim Heckman
[0] http://tools.ietf.org/html/rfc4941
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions
More information about the foundations-bugs
mailing list