IPv6 Privacy Extensions aren't enabled

Mikaela · 8 September 2021 12:37

REPRODUCIBILITY: always?
BUILD ID = OS VERSION (Settings > About product): 4.2.0.19 (Verla)
HARDWARE (XA2, X10, X10 II, …): X10 II
UI LANGUAGE: Finnish
REGRESSION: (compared to previous public release: Yes, No, ?): No (unknown)

DESCRIPTION:

When a dualstack network is used, IPv6 privacy extensions aren’t enabled so the device MAC address is revealed to all IPv6-capable services making cross-network tracking trivial.

PRECONDITIONS:

Dualstack network is used.

STEPS TO REPRODUCE:

Connect to a IPv6-capable WiFi
Navigate to https://ipv6-test.com/ and observe SLAAC: yes and see the device MAC address.
Check Settings → About to confirm that it indeed is the WiFi MAC address.

EXPECTED RESULT:

https://ipv6-test.com/ says SLAAC No and doesn’t show the MAC address which is the behaviour on any modern operating system (including Android or iOS).

ACTUAL RESULT:

SLAAC: Yes and MAC address is shown making cross-network tracking trivial.

ADDITIONAL INFORMATION:

Screenshots/photos available upon request, I don’t consider it necessary for this problem.

Mikaela · 8 September 2021 14:45

I see that there is /etc/sysctl.d/ipv6-settings.conf which contains

# Enable IPv6 tempaddress and prefer it
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2

# Disable icmp redirects
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

which should resolve this issue or prevent it from appearing, but it doesn’t seem to have an effect

I tried to fix it by /etc/sysctl.d/99-privacyextensions.conf containing:

net.ipv6.conf.rmnet_ipa0.use_tempaddr=2
net.ipv6.conf.wlan0.use_tempaddr=2

but didn’t have any luck either. I guess this issue comes from Connman as manually loading the file with sysctl -p /etc/sysctl.d/99-privacyextensions.conf didn’t help either.

supremesyntax · 14 October 2021 10:03

You are right to say this should be enabled by default.

To change it per connection:

# pkcon install connman-tools
# connmanctl services
remember/copy the config id you want to change (the long string after the SSID beginning with wifi_*)
# connmanctl config wifi_* --ipv6 auto preferred

check the config file (should be in $HOME/.local/share/system/privileged/connman/wifi_*/settings)
use vi or install nano or simply cat to stdout

There should be a setting now called

IPv6.privacy=prefered

don’t mind the misspelling of prefered

additional info: connman-service.config.5.in

Do not edit the config file itself! The changes will be reset on the next shutdown/reboot !! If you want to change the settings you would have to stop the connman systemd service first and start again after the changes.

Minman · 9 November 2024 20:55

This issue does still exist in version 4.6.0.15. The ipv6 address leaks the mac address of the phone. The workaround of @supremesyntax works, but having this privacy issue fixed would be nice.