[Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default

Wed Jun 4 10:57:20 UTC 2014

Neil: the metadata is just one example (though that's not happening).

The firewall rule thing applies irrespective of the metadata. The cloud
environment created requires only /128 addresses it knows about to be
accessible, and firewalls everything else out. Reasons for this include
prevention of spoofing of IP addresses on outbound traffic. We want each
UEC image to come up with the IPv6 address(es) we have assigned, and not
a random one in the same /64. This is not an unreasonable requirement.
We would use DHCPv6 for this if it weren't for the fact that DHCPv6 is
broken in different ways and has little support.

IPv6 *as designed* says RFC4941 SHOULD (RFC capitalisation) be turned
off by default. So the argument that applications should be using it 'as
designed' is bogus, as if it was deployed *as designed* (i.e. per the
RFC) it would work. There would be no problem with (e.g.) Network
Manager turning this on in a desktop environment.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1068756

Title:
  IPv6 Privacy Extensions enabled on Ubuntu Server by default

Status in “cloud-init” package in Ubuntu:
  New
Status in “procps” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 12.04 LTS and Ubuntu 12.10 server images both ship with the
  IPv6 Privacy Extensions enabled (as defined in RFC 4941[0]). Not only
  are they enabled, but these addresses are preferred over addresses
  obtained using SLAAC. While is may be considered a reasonable default
  on an image being used on a personal computer, it's not something that
  is sane to have enabled by default in a server environment. Having
  this extension enabled can wreak havoc if you are expecting a specific
  IPv6 address when you know the MAC addresses of your systems
  beforehand.

  The file that is responsible for causing this to be defaulted to
  enabled is: "/etc/sysctl.d/10-ipv6-privacy.conf". This file appears to
  be part of the procps package (as per the output of 'dpkg -S') and
  contains the following:

      # IPv6 Privacy Extensions (RFC 4941)
      # ---
      # IPv6 typically uses a device's MAC address when choosing an IPv6 address
      # to use in autoconfiguration. Privacy extensions allow using a randomly
      # generated IPv6 address, which increases privacy.
      #
      # Acceptable values:
      #    0 - don’t use privacy extensions.
      #    1 - generate privacy addresses
      #    2 - prefer privacy addresses and use them over the normal addresses.
      net.ipv6.conf.all.use_tempaddr = 2
      net.ipv6.conf.default.use_tempaddr = 2

  In short, IPv6 privacy extensions should not be enabled by default
  when deploying an Ubuntu server image. In a server environment you
  should be able to reliably determine your IPv6 address based on the
  MAC address of the system.

  Thank you for taking the time to look in to this as well as consider
  changing the default behavior of Ubuntu server.

  -Tim Heckman

  [0] http://tools.ietf.org/html/rfc4941

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1068756/+subscriptions