Network Manager and IPv6 Privacy

This is somewhat off topic, since LibreCMC does not use Network Manager. However, Network Manager is common on Gnu/Linux desktops.

One question that can be asked about IPv6: If everybody uses public IP addresses, doesn’t that destroy privacy? One solution to this is the IPv6 Privacy Extensions. Basically, the Privacy Extensions allow your IPv6 host to generate random, temporary public IP addresses. So, a remote server will see your public IP address (in the packet’s source address) but it might not be the same one you were using an hour ago. That gives you at least the same level of privacy you had as a client hiding behind an IPv4 NAT.

That is a nice feature for browsing the Web. However, it is rather inconvenient for host-based firewall management. In my case, I have a remote firewall that only allows SSH access for one host, based on the packet’s source address. That means it will reject a random address that is used. One trick is to specify the source address in the ssh client command, to use the permanent public address:

ssh -b 2001:470:b:449::2d3 evenstar.<snip>.com

But that is rather inconvenient. I suppose a bash alias would reduce the inconvenience somewhat.

Alternatively, you can disable the Privacy Extensions, or at least de-prefer temporary addresses. I think the traditional way to do this was editing /etc/sysctl.conf, but it seems that those settings are overridden by Network Manager. In that case, you must use the nmcli program to edit your Network Manager profile settings. E.g.:

christopher@nightshade:~$ nmcli con edit Standard\ Wired

===| nmcli interactive connection editor |===

Editing existing '802-3-ethernet' connection: 'Standard Wired'

Type 'help' or '?' for available commands.
Type 'describe [<setting>.<prop>]' for detailed property description.

You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, dcb, ipv4, ipv6, proxy
nmcli> set ipv6.ip6-privacy 0
nmcli> save
Connection 'Standard Wired' (572cca57-4cae-4109-99c3-2a3282181043) successfully updated.
nmcli> quit

From the Gnome desktop, you can find out the name of the profile you are using by clicking the Gnome network manager icon. If you use command set ipv6.ip6-privacy 0, that disables the temporary addresses. If you use command set ipv6.ip6-privacy 1, that causes the temporary addresses still to be created, but not preferred (i.e., not used).

1 thought on “Network Manager and IPv6 Privacy”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s