Provide explanation on the disabling of IPv6 Privacy Extensions

2024-10-01 08:25:45 -04:00 · 2024-07-17 21:44:44 +10:00 · 2024-07-17 21:44:44 +10:00 · 39fd125eb0
commit 39fd125eb0
parent 693b47e623
4 changed files with 41 additions and 0 deletions
--- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf
+++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf
@ -1,2 +1,10 @@
+## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions.
+##
+## https://datatracker.ietf.org/doc/html/rfc4941
+## https://github.com/Kicksecure/security-misc/pull/145
+## https://github.com/Kicksecure/security-misc/issues/184
+##
+## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages.
+
 #[connection]
 #ipv6.ip6-privacy=2
--- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf
+++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf
@ -1,3 +1,11 @@
+## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions.
+##
+## https://datatracker.ietf.org/doc/html/rfc4941
+## https://github.com/Kicksecure/security-misc/pull/145
+## https://github.com/Kicksecure/security-misc/issues/184
+##
+## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages.
+
 #[device-mac-randomization]
 #wifi.scan-rand-mac-address=yes

--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -337,3 +337,20 @@ net.ipv4.tcp_timestamps=0
 ##
 #net.ipv4.conf.all.log_martians=1
 #net.ipv4.conf.default.log_martians=1
+
+## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses.
+## The temporary/privacy address is used as the source of all outgoing traffic.
+## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. 
+## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf.
+## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf.
+## 
+## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions.
+##
+## https://datatracker.ietf.org/doc/html/rfc4941
+## https://github.com/Kicksecure/security-misc/pull/145
+## https://github.com/Kicksecure/security-misc/issues/184
+##
+## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages.
+##
+#net.ipv6.conf.all.use_tempaddr=2
+#net.ipv6.conf.default.use_tempaddr=2
--- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf
+++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf
@ -1,2 +1,10 @@
+## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions.
+##
+## https://datatracker.ietf.org/doc/html/rfc4941
+## https://github.com/Kicksecure/security-misc/pull/145
+## https://github.com/Kicksecure/security-misc/issues/184
+##
+## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages.
+
 #[Network]
 #IPv6PrivacyExtensions=kernel