IPv6 privacy extension / preferTempAddress (bug?)

Help
1

Hi,
I noticed, that the IPv6-privacy-extensions are off by default (!) in NixOS, and that the documentation is wrong:

  1. Privacy-by-default:
    I strongly suggest that IPv6-privacy-extensions should be turned on by default in NixOS.
    Until this is fixed, I suggest that everybody who cares about privacy should turn it on manually:

    • /etc/configuration.nix: add networking.interfaces.wlp1s0.preferTempAddress = true;
      replace wlp1s0 by the name of your network-device
    • nixos-rebuild switch
    • restart network (e.g. ifconfig wlp1s0 down; ifconfig wlp1s1 down) or reboot
    • check ip -6 addr show; there should now be an IPv6-adress with the tag “temporary”

  2. IPv6-privacy-extensions for all devices:
    Is there a way to set preferTempAdress = true for all devices?

  3. Documentation:
    NixOS options documentation (NixOS Search - Loading...) says:

    • networking.interfaces.<name?>.preferTempAddress:
      Default value: config.networking.enableIPv6
    • networking.enableIPv6:
      Default value: true

    So, I this would mean that the default value of networking.interfaces.<name?>.preferTempAddress is true, but that’s obviously not the case.
    (I think the documentation should not be changed, but the behaviour should match the documentation.)

2

What network manager are you using? I think that the NetworkManager is already doing the right thing by default:

$ ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a01:4b00:8636:e900:b193:a32e:be6a:58a9/64 scope global temporary dynamic 
       valid_lft 70422sec preferred_lft 56022sec
    inet6 2a01:4b00:8636:e900:6e6f:5a65:946a:88de/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 70422sec preferred_lft 56022sec
    inet6 fd00::b193:a32e:be6a:58a9/64 scope global temporary dynamic 
       valid_lft 604158sec preferred_lft 85378sec
    inet6 fd00::5c79:3ea0:f53f:2102/64 scope global mngtmpaddr noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::de11:e64f:af2a:6018/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
4: zt0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 state UNKNOWN qlen 1000
    inet6 fd56:5799:d8f6:567e:ae99:93b2:9ec:32a5/88 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::accc:5fff:fe1a:ea3c/64 scope link 
       valid_lft forever preferred_lft forever
5: zt1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 state UNKNOWN qlen 1000
    inet6 fc63:78b8:1bb2:9ec:32a5::1/40 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::440:ddff:fe9d:2cef/64 scope link 
       valid_lft forever preferred_lft forever
3

No network manager, just plain NixOS:

  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # for networks: see /etc/wpa_supplicant.conf

By default, I only get a non-temporary IP:

    3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
        inet6 2001:16b8:2bc0:eb00:aaaa:aaaa:aaaa:aaaa/64 scope global dynamic mngtmpaddr noprefixroute
           valid_lft 7133sec preferred_lft 3533sec
        inet6 fe80::aaaa:aaaa:aaaa:aaaa/64 scope link
           valid_lft forever preferred_lft forever

After setting networking.interfaces.wlp1s0.preferTempAddress = true; (and nixos-rebuild switch and restarting wlp1s0), I get:

    3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
        inet6 2001:16b8:2bc0:eb00:tttt:tttt:tttt:tttt/64 scope global temporary dynamic
           valid_lft 6809sec preferred_lft 3209sec
        inet6 2001:16b8:2bc0:eb00:aaaa:aaaa:aaaa:aaaa/64 scope global dynamic mngtmpaddr noprefixroute
           valid_lft 6809sec preferred_lft 3209sec
        inet6 fe80::aaaa:aaaa:aaaa:aaaa/64 scope link
           valid_lft forever preferred_lft forever

(aaaa:aaaa:aaaa:aaaa a placeholder for the part, derived from the MAC-address, tttt:tttt:tttt:tttt stands for the random/temporary address)

4

I don’t experience this. I get both addresses and the sort one 64-bit-prefix::c7c is used as the default. (no wireless here, NixOS 18.03)