IPv6 Privacy Extension support?

IPv6 Privacy Extension support?

[Hannes von Haugwitz]

Hello,

I'm running Debian sid and iwd 2.15.

When I enable network configuration and IPv6 in iwd config, the IPv6
address contains the embedded interface identifier (i.e. the MAC
address), even though IPv6 Privacy Extension is enabled for the device
(net.ipv6.conf.wlan0.use_tempaddr = 2).

Do I miss something or is there no support for IPv6 Privacy Extension
in iwd?

Best regards

Hannes

Re: IPv6 Privacy Extension support?

[James Prestwood]

Hi Hannes,

On 3/1/24 6:46 AM, Hannes von Haugwitz wrote:
> Hello,
>
> I'm running Debian sid and iwd 2.15.
>
> When I enable network configuration and IPv6 in iwd config, the IPv6
> address contains the embedded interface identifier (i.e. the MAC
> address), even though IPv6 Privacy Extension is enabled for the device
> (net.ipv6.conf.wlan0.use_tempaddr = 2).
>
> Do I miss something or is there no support for IPv6 Privacy Extension
> in iwd?

I'm not familiar with the privacy extensions specifically, but you can 
enable MAC address randomization which should hide the MAC for you. You 
can check the man pages for more details but in main.conf something like:

[Settings]
AddressRandomization=network
>
> Best regards
>
> Hannes
>

Re: IPv6 Privacy Extension support?

[Hannes von Haugwitz]

Hi,

On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
> I'm not familiar with the privacy extensions specifically, but you can
> enable MAC address randomization which should hide the MAC for you. You can
> check the man pages for more details but in main.conf something like:
> 
> [Settings]
> AddressRandomization=network

MAC address randomization hides the physical MAC address but does not
prevent device tracking (within the same network). With privacy extension
enabled, the IPv6 address is randomly regenerated every few hours.

For more details see [RFC_4941].

Best regards

Hannes

[RFC_4941] https://www.rfc-editor.org/rfc/rfc4941

Re: IPv6 Privacy Extension support?

[Grant Erickson]

On Mar 4, 2024, at 11:32 AM, Hannes von Haugwitz <hannes@vonhaugwitz.com> wrote:
> On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
>> I'm not familiar with the privacy extensions specifically, but you can
>> enable MAC address randomization which should hide the MAC for you. You can
>> check the man pages for more details but in main.conf something like:
>> 
>> [Settings]
>> AddressRandomization=network
> 
> MAC address randomization hides the physical MAC address but does not
> prevent device tracking (within the same network). With privacy extension
> enabled, the IPv6 address is randomly regenerated every few hours.
> 
> For more details see [RFC_4941].
> 
> Best regards
> 
> Hannes

James:

I believe it’s handled in connman with these APIs:

    https://git.kernel.org/pub/scm/network/connman/connman.git/tree/src/ipconfig.c#n528

with the Linux kernel “use_tempaddr” sysctl setting. I assume iwd would have to replicate this infrastructure, or pull it into ELL and share it that way.

Best,

Grant

-- 
Principal
Nuovations

gerickson@nuovations.com
http://www.nuovations.com/

Re: IPv6 Privacy Extension support?

[James Prestwood]

Hi,

On 3/4/24 1:40 PM, Grant Erickson wrote:
> On Mar 4, 2024, at 11:32 AM, Hannes von Haugwitz <hannes@vonhaugwitz.com> wrote:
>> On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
>>> I'm not familiar with the privacy extensions specifically, but you can
>>> enable MAC address randomization which should hide the MAC for you. You can
>>> check the man pages for more details but in main.conf something like:
>>>
>>> [Settings]
>>> AddressRandomization=network
>> MAC address randomization hides the physical MAC address but does not
>> prevent device tracking (within the same network). With privacy extension
>> enabled, the IPv6 address is randomly regenerated every few hours.
>>
>> For more details see [RFC_4941].
>>
>> Best regards
>>
>> Hannes
> James:
>
> I believe it’s handled in connman with these APIs:
>
>      https://git.kernel.org/pub/scm/network/connman/connman.git/tree/src/ipconfig.c#n528
>
> with the Linux kernel “use_tempaddr” sysctl setting. I assume iwd would have to replicate this infrastructure, or pull it into ELL and share it that way.

Hmm, if this is all that's required then shouldn't this already work if 
Hannes is setting "use_tempaddr" externally to IWD? Of course having 
this within an IWD profile setting would be nice, but I think there must 
be more too it than this right?

Thanks,

James

> Best,
>
> Grant
>

Re: IPv6 Privacy Extension support?

[Hannes von Haugwitz]

On Wed, Mar 06, 2024 at 04:19:41AM -0800, James Prestwood wrote:
> On 3/4/24 1:40 PM, Grant Erickson wrote:
> > On Mar 4, 2024, at 11:32 AM, Hannes von Haugwitz <hannes@vonhaugwitz.com> wrote:
> > > On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
> > > > I'm not familiar with the privacy extensions specifically, but you can
> > > > enable MAC address randomization which should hide the MAC for you. You can
> > > > check the man pages for more details but in main.conf something like:
> > > >
> > > > [Settings]
> > > > AddressRandomization=network
> > > MAC address randomization hides the physical MAC address but does not
> > > prevent device tracking (within the same network). With privacy extension
> > > enabled, the IPv6 address is randomly regenerated every few hours.
> > >
> > > For more details see [RFC_4941].
> > >
> > > Best regards
> > >
> > > Hannes
> > James:
> >
> > I believe it’s handled in connman with these APIs:
> >
> >      https://git.kernel.org/pub/scm/network/connman/connman.git/tree/src/ipconfig.c#n528
> >
> > with the Linux kernel “use_tempaddr” sysctl setting. I assume iwd would have to replicate this infrastructure, or pull it into ELL and share it that way.
>
> Hmm, if this is all that's required then shouldn't this already work if
> Hannes is setting "use_tempaddr" externally to IWD? Of course having this
> within an IWD profile setting would be nice, but I think there must be more
> too it than this right?

Is there any news about this feature request?

Best regards

Hannes

Re: IPv6 Privacy Extension support?

[James Prestwood]

Hi Hannes,

On 8/4/24 2:01 PM, Hannes von Haugwitz wrote:
> On Wed, Mar 06, 2024 at 04:19:41AM -0800, James Prestwood wrote:
>> On 3/4/24 1:40 PM, Grant Erickson wrote:
>>> On Mar 4, 2024, at 11:32 AM, Hannes von Haugwitz <hannes@vonhaugwitz.com> wrote:
>>>> On Mon, Mar 04, 2024 at 04:30:27AM -0800, James Prestwood wrote:
>>>>> I'm not familiar with the privacy extensions specifically, but you can
>>>>> enable MAC address randomization which should hide the MAC for you. You can
>>>>> check the man pages for more details but in main.conf something like:
>>>>>
>>>>> [Settings]
>>>>> AddressRandomization=network
>>>> MAC address randomization hides the physical MAC address but does not
>>>> prevent device tracking (within the same network). With privacy extension
>>>> enabled, the IPv6 address is randomly regenerated every few hours.
>>>>
>>>> For more details see [RFC_4941].
>>>>
>>>> Best regards
>>>>
>>>> Hannes
>>> James:
>>>
>>> I believe it’s handled in connman with these APIs:
>>>
>>>       https://git.kernel.org/pub/scm/network/connman/connman.git/tree/src/ipconfig.c#n528
>>>
>>> with the Linux kernel “use_tempaddr” sysctl setting. I assume iwd would have to replicate this infrastructure, or pull it into ELL and share it that way.
>> Hmm, if this is all that's required then shouldn't this already work if
>> Hannes is setting "use_tempaddr" externally to IWD? Of course having this
>> within an IWD profile setting would be nice, but I think there must be more
>> too it than this right?
> Is there any news about this feature request?

I was still not sure exactly what needs to be done. If the sysctl 
setting is all thats needed, this is an easy feature, but you had said 
setting that manually still doesn't enable the privacy extensions? Is 
the issue maybe that IWD removes the wlan0 interface on startup? So 
setting that sysctl setting manually, then starting IWD, is clearing it?

Is use_tempaddr still set as expected after IWD start?

Thanks,

James

>
> Best regards
>
> Hannes

Re: IPv6 Privacy Extension support?

[Hannes von Haugwitz]

On Mon, Aug 05, 2024 at 05:44:39AM -0700, James Prestwood wrote:
> I was still not sure exactly what needs to be done. If the sysctl setting is
> all thats needed, this is an easy feature, but you had said setting that
> manually still doesn't enable the privacy extensions? Is the issue maybe
> that IWD removes the wlan0 interface on startup? So setting that sysctl
> setting manually, then starting IWD, is clearing it?
> 
> Is use_tempaddr still set as expected after IWD start?

I set the following kernel parameters via sysctl.d/60-ipv6_privacy.conf:

net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

After restarting IWD use_tempaddr for wlan0 is set as expected:

# sysctl net.ipv6.conf.wlan0.use_tempaddr
net.ipv6.conf.wlan0.use_tempaddr = 2

Best regards

Hannes

Re: IPv6 Privacy Extension support?

[Hannes von Haugwitz]

Hi James,

On Mon, Aug 05, 2024 at 05:44:39AM -0700, James Prestwood wrote:
> I was still not sure exactly what needs to be done. If the sysctl setting is
> all thats needed, this is an easy feature, but you had said setting that
> manually still doesn't enable the privacy extensions? Is the issue maybe
> that IWD removes the wlan0 interface on startup? So setting that sysctl
> setting manually, then starting IWD, is clearing it?

I've looked a bit deeper into the source code. It looks like iwd uses
the ell library for network configuration and ell seems to hard code the
EUI-64-based Interface Identifier for the IPv6 address[ell/netconfig.c].

Best regards

Hannes

[ell/netconfig.c] https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/netconfig.c?id=4acbb92c0513644900078c348d972ef5e48fdc4c#n760