[Bug 752842] New: privacy extensions IPv6 are enabled since 12.1 and on
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c0 Summary: privacy extensions IPv6 are enabled since 12.1 and on Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: roeland@linux-it.nl QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 at least since 12.1 and 12.2M2, the IPv6 privacy extensions are enabled leading to a daily changing IPv6 address. Now, I have *selected* static IP addresses, which obviously is incompatible with privacy extensions. Reproducible: Always Steps to Reproduce: 1. 2. 3. Expected Results: I would expect it to be off. If people want to have it on, then have them select it. Administratively it's a pain if the extensions are on. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c1 kk zhang <kkzhang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kkzhang@novell.com AssignedTo|bnc-team-screening@forge.pr |bili@suse.com |ovo.novell.com | --- Comment #1 from kk zhang <kkzhang@novell.com> 2012-03-21 03:29:14 UTC --- Bili,could you please look at this?I am not sure whether it is right to assign it to you.Feel free to reassign it.Thank you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c2 Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |roeland@linux-it.nl --- Comment #2 from Li Bin <bili@suse.com> 2012-03-23 09:01:22 UTC --- roeland, Sorry, I still a little confused your issue. What's your real issue? And how to reproduce it? Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c3 roeland jansen <roeland@linux-it.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|roeland@linux-it.nl | --- Comment #3 from roeland jansen <roeland@linux-it.nl> 2012-03-23 10:27:43 UTC --- the IPv6 address is changing every approx 24 hours. reproduce: just install oS11.4/12.1 /etc/sysctl.conf should have a line like: # NO RANDOM "PRIVACY" GENERATION OF ADDRESSES net.ipv6.conf.default.use_tempaddr = 0 (instead of having to switch off this undesired generation by hand). e.g. the default should be -- do not generate random privacy addresses, unless specified in the yast systemconfig editor. (what happens is that the IP address changes every day so you cannot reliably connect to such a system over IPv6. That doesn't make sense) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c4 Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #4 from Li Bin <bili@suse.com> 2012-03-31 09:12:19 UTC --- (In reply to comment #3)
the IPv6 address is changing every approx 24 hours.
reproduce: just install oS11.4/12.1
/etc/sysctl.conf should have a line like:
# NO RANDOM "PRIVACY" GENERATION OF ADDRESSES net.ipv6.conf.default.use_tempaddr = 0
(instead of having to switch off this undesired generation by hand).
e.g. the default should be -- do not generate random privacy addresses, unless specified in the yast systemconfig editor.
(what happens is that the IP address changes every day so you cannot reliably connect to such a system over IPv6. That doesn't make sense)
Understood now, I don't have an IPv6 for testing. just view my sysctl.conf file, and can't find the use_tempaddr, do you add it? What's the result of removing this line? Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |roeland@linux-it.nl -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c5 --- Comment #5 from roeland jansen <roeland@linux-it.nl> 2012-03-31 10:00:57 UTC --- if youremove that line, your static IPv6 addres will not be static but change every (approximately) 24 hours. This effectively means that ifconfig will show after a week at least 7 IPv6 addresses and only the last one can be used to access your system. E.g. you define a static IPv4 address but IPv6 changes all the time. Makes administration impossible as te address is not available aymore. The line added to the sysctl file prevents the use of dynamic addresses -- e.g. stops the privacy extensions of IPv6. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c6 roeland jansen <roeland@linux-it.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|roeland@linux-it.nl | --- Comment #6 from roeland jansen <roeland@linux-it.nl> 2012-03-31 10:01:42 UTC --- so your question: remove the line and after 24 hours or so I cannot use ssh over IPv6 as the address has changed.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c7 Li Bin <bili@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW AssignedTo|bili@suse.com |mt@suse.com --- Comment #7 from Li Bin <bili@suse.com> 2012-03-31 10:44:48 UTC --- roeland, Understand your issue now. I thought Marius maybe know more about this. Marius, Does we support static IPv6 in network? thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c8 --- Comment #8 from roeland jansen <roeland@linux-it.nl> 2012-03-31 12:27:42 UTC --- I can answer that one. In versions before 12.1, the privacy extensions were disabled by default. You can switch them on if you like. However as of 12.1 and 12.2 they are enabled by default. Thta's IMHO undesirable. e.g. the default should be disabled. Roeland -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c9 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |lnussel@suse.com Resolution| |INVALID --- Comment #9 from Marius Tomaschewski <mt@suse.com> 2012-04-02 12:58:26 UTC --- (In reply to comment #7)
Marius,
Does we support static IPv6 in network? thanks!
Yes, just configure it. (In reply to comment #8)
In versions before 12.1, the privacy extensions were disabled by default. You can switch them on if you like.
However as of 12.1 and 12.2 they are enabled by default. Thta's IMHO undesirable.
Yes, in your opinion :-) Sorry, this is an intended change: * Di Mai 17 2011 lnussel@suse.de - load sysctls earlier (bnc#664550) - move distro defaults to /lib/sysctl.d to avoid .rpmnew files - enable IPv6 privacy by default (bnc#678066) When you don't like it, disable it or set it to 1: Preference for Privacy Extensions (RFC3041). <= 0 : disable Privacy Extensions == 1 : enable Privacy Extensions, but prefer public addresses over temporary addresses. > 1 : enable Privacy Extensions and prefer temporary addresses over public addresses. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c10 roeland jansen <roeland@linux-it.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #10 from roeland jansen <roeland@linux-it.nl> 2012-04-02 17:12:33 UTC --- it would have made sense for portable devices and only when dhcp is used. as with bnc678066 I fully agree with the part Freek said: "in my view Privacy Extension should only be the default for traveling systems. When Privacy Extensions are not enabled, systems that are static in a network always get the same address (i.e. the host part), derived from the MAC address. This makes it possible, in a small network, to use these addresses to communicate with each other, without the need for a DHCP6 and/or DNS server. With Privacy Extension always enabled, the IPv6 address changes each least each 24 hours, which makes it difficult to communicate without additional services that keep track of these changing addresses." What if we did it this way "best of both worlds": 1) if dhcp is used, we assume a portable system and have privacy extensions enabled by default via a box click box next to the IPv4 DHCP selection. 2) if static addresses are used we assume that this is deliberate so disable the privacy extensions by default via a click box next to the IPv4 IP address It's a complete pain in the ass if we want to have IPv6 deployed on a large scale. besides, it doesn't make much sense. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c11 --- Comment #11 from Ludwig Nussel <lnussel@suse.com> 2012-04-03 10:06:44 CEST --- The temporary address is used *in addition* to the one based on the mac address. The systems are still reachable via the mac based address but will use the temporary address for outgoing connections. If you are running a server with manually configured static v6 addresses you may of course also alter /etc/sysctl.conf and turn off temp addresses. That's what the config file is for :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c12 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@suse.com --- Comment #12 from Marius Tomaschewski <mt@suse.com> 2012-04-03 08:40:29 UTC --- (In reply to comment #10)
1) if dhcp is used, we assume a portable system and have privacy extensions enabled by default via a box click box next to the IPv4 DHCP selection.
If dhcp is used you are on a managed network and this setting isn't used at all, when the router does not permit autoconf in its RA, e.g.: AdvManagedFlag on; # enables DHCPv6 AdvOtherConfigFlag on; # other config also DHCPv6 prefix 2001:DB8:ABBA:BEBE:/64 { AdvAutonomous off; # disallows clients to assign # IPv6 addresses by them self }; On the dhcp6 server, you can can simply enable to use privacy extensions (ISC dhcp /dhcpd6.conf): subnet6 2001:DB8:ABBA:BEBE:/64 { ... # (i.e., direct application of RFC 4941) range6 2001:DB8:ABBA:BEBE:/64 temporary; ... # ... ddns-updates on; ... } and even update the dns records automatically using the temp addr. Basically, enabling privacy extensions without to use them, does not make much sense. And yes, it is about (mobile) client systems. Without this setting, their would use their MAC address based IPv6 address by default. On systems which provide services, you have to actively configure the services anyway and you can either change the setting or also configure the service to use a specific address (static or mac bases when you like). What could be done is that pattern trigger to install rpm which provides them, that is: pattern laptop installs sysctl-enable-tempaddr.rpm pattern desktop installs sysctl-enable-tempaddr.rpm pattern server installs sysctl-disable-tempaddr.rpm or something like this... This would be IMO an improvement. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c13 --- Comment #13 from Marius Tomaschewski <mt@suse.com> 2012-04-03 08:41:40 UTC --- (In reply to comment #12)
What could be done is that pattern trigger to install rpm which provides them, that is:
pattern laptop installs sysctl-enable-tempaddr.rpm pattern desktop installs sysctl-enable-tempaddr.rpm
pattern server installs sysctl-disable-tempaddr.rpm
or something like this... This would be IMO an improvement.
But a lot effort to maintain for one single byte... :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c14 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Version|Final |Factory InfoProvider| |mvidner@suse.com Component|Network |Network CC| |mvidner@suse.com Target Milestone|--- |Factory Product|openSUSE 12.1 |openSUSE 12.2 Severity|Normal |Enhancement --- Comment #14 from Marius Tomaschewski <mt@suse.com> 2012-04-03 08:51:19 UTC --- OK, it is not a bug, so I've changed it to enhancement request for 12.1: Martin, can we add a "button" to the yast2 network proposal to disable/enable privacy extensions additionally to the enable/disable IPv6 ? : [X] Enable IPv6 [enabled by default] [X] Enable IPv6 Privacy Extensions (RFC 4941) [enabled by default] The net.ipv6.conf.default.use_tempaddr sysctl has 3 settings (disable/public/privacy): Preference for Privacy Extensions (RFC3041). <= 0 : disable Privacy Extensions == 1 : enable Privacy Extensions, but prefer public addresses over temporary addresses. > 1 : enable Privacy Extensions and prefer temporary addresses over public addresses. Do you need a feature request for this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c15 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|mvidner@suse.com | AssignedTo|mt@suse.com |mvidner@suse.com --- Comment #15 from Marius Tomaschewski <mt@suse.com> 2012-04-03 08:52:18 UTC --- Hmm... I just reassign to you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mt@suse.com Summary|privacy extensions IPv6 are |privacy extensions IPv6 are |enabled since 12.1 and on |enabled since 12.1 and on - | |make it configurable in | |network proposal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c16 --- Comment #16 from Marius Tomaschewski <mt@suse.com> 2012-04-03 08:58:21 UTC --- Ahm... there are 3 settings, but I think we can reduce it to a checkbox with enable==3 and disable==9. The setting 1 (enable, but don't use) is IMO some kind of special case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c17 --- Comment #17 from Marius Tomaschewski <mt@suse.com> 2012-04-03 08:59:32 UTC ---
with enable==3 and disable==9.
Huh? Again: Ahm... there are 3 settings, but I think we can reduce it to a checkbox with enable==2 and disable==0. The setting 1 (enable, but don't use) is IMO some kind of special case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c18 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #18 from Christian Boltz <suse-beta@cboltz.de> 2012-04-03 18:06:20 CEST --- (In reply to comment #17)
with enable==3 and disable==9.
Huh? Again:
Ahm... there are 3 settings, but I think we can reduce it to a checkbox with enable==2 and disable==0.
The setting 1 (enable, but don't use) is IMO some kind of special case.
Now imagine someone wrote the "special case" setting 1 in the configfile manually and then opens YaST - how will you/YaST display the checkbox state? ;-) (Maybe a dropdown with "yes/no/maybe ;-)" would be the better choice?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c19 --- Comment #19 from roeland jansen <roeland@linux-it.nl> 2012-04-03 19:31:41 UTC --- guys just wanted to say that the proposed enhancement sounds very sweet and thanks already! Roeland -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c20 --- Comment #20 from Marius Tomaschewski <mt@suse.com> 2012-04-04 08:15:12 UTC --- (In reply to comment #18)
(In reply to comment #17)
Ahm... there are 3 settings, but I think we can reduce it to a checkbox with enable==2 and disable==0.
The setting 1 (enable, but don't use) is IMO some kind of special case.
Now imagine someone wrote the "special case" setting 1 in the configfile manually and then opens YaST - how will you/YaST display the checkbox state? ;-)
Grayed out? ;-)
(Maybe a dropdown with "yes/no/maybe ;-)" would be the better choice?)
Yes, sure... Of course it is always better to implement it completely using a combo or (some 3 states checkbox when available) with 3 states: "disable privacy/enable but prefer public/enable and prefer private" I just have had the yast2 "html" proposal page in my head and there are usually links to disable/enable code only... (In reply to comment #19)
guys just wanted to say that the proposed enhancement sounds very sweet and thanks already!
Roeland
OK, even we would not like to deliver what you originally requested, it makes me happy that we found a way to satisfy you! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=752842 https://bugzilla.novell.com/show_bug.cgi?id=752842#c21 Martin Vidner <mvidner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|mvidner@suse.com |mfilka@suse.com --- Comment #21 from Martin Vidner <mvidner@suse.com> 2012-08-15 14:46:58 CEST --- Some openSUSE bugs for the new maintainer of yast2-network. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=752842 http://bugzilla.novell.com/show_bug.cgi?id=752842#c22 Jiri Bohac <jbohac@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jbohac@suse.com --- Comment #22 from Jiri Bohac <jbohac@suse.com> --- Privacy extensions should default to OFF. Quoting RFC 4941, section 3.6. Deployment Considerations: The use of temporary addresses may cause unexpected difficulties with some applications. As described below, some servers refuse to accept communications from clients for which they cannot map the IP address into a DNS name. In addition, some applications may not behave robustly if temporary addresses are used and an address expires before the application has terminated, or if it opens multiple sessions, but expects them to all use the same addresses. Consequently, the use of temporary addresses SHOULD be disabled by default in order to minimize potential disruptions. Individual applications, which have specific knowledge about the normal duration of connections, MAY override this as appropriate. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=752842 http://bugzilla.novell.com/show_bug.cgi?id=752842#c23 Jiri Bohac <jbohac@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |988023 --- Comment #23 from Jiri Bohac <jbohac@suse.com> --- (In reply to Jiri Bohac from comment #22)
Privacy extensions should default to OFF.
I opened bsc#988023 to have the default changed. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com