- IPv6 addresses come up with RFC7217 privacy mode enabled
As such, the local
radvddoes not tag the machine with a “known” address.
Remediation: turn off
IPV6_ADDR_GEN_MODE=eui64in the relevant
Fedora Live Workstation…
- … does not enable sshd. The firewall is configured to allow it, but the service is not enabled or started after the build.
- … builds to graphical.target. To back down to the non-graphical mode,
systemctl set-default multi-user.target. See the guidance in the (legacy)
- … uses firewalld to manage the iptables. If you need to install a custom iptables setup, e.g. with
xt_geoiprules then you need
sudo dnf install -y xtables-addons
See the separate recipe for bringing down firewalld and bringing up the separable iptables services
systemctl get-default sudo systemctl set-default multi-user.target
sudo systemctl enable sshd sudo systemctl start sshd
nmcli reload nmcli modify enp1s0 ipv5.addr-gen-mode eui64 nmcli con down enp1s0 nmcli con up enp1s0
$ cat /etc/sysconfig/network-scripts/ifcfg-enp1s0 HWADDR=00:EC:AC:CD:E6:12 TYPE=Ethernet BOOTPROTO=dhcp DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no #IPV6_ADDR_GEN_MODE=stable-privacy NAME=enp1s0 UUID=6c463f92-11d2-30ba-8273-d86bb3c58859 ONBOOT=yes AUTOCONNECT_PRIORITY=-999 PEERDNS=yes PEERROUTES=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes
- RFC 7217
- A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)
F. Gont (SI6 Networks & UTN-FRH); IETF; 2014-04.
Abstract: This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that an IPv6 address configured using this method is stable within each subnet, but the corresponding Interface Identifier changes when the host moves from one network to another. This method is meant to be an alternative to generating Interface Identifiers based on hardware addresses (e.g., IEEE LAN Media Access Control (MAC) addresses), such that the benefits of stable addresses can be achieved without sacrificing the security and privacy of users. The method specified in this document applies to all prefixes a host may be employing, including link-local, global, and unique-local prefixes (and their corresponding addresses).
- RFC 4941
- Privacy Extensions for Stateless Address Autoconfiguration in IPv6
Narten (IBM), Draves (Microsoft) Krishnan (Ericsson); IETF; 2007-09.
Abstract: Nodes use IPv6 stateless address autoconfiguration to generate addresses using a combination of locally available information and information advertised by routers. Addresses are formed by combining network prefixes with an interface identifier. On an interface that contains an embedded IEEE Identifier, the interface identifier is typically derived from it. On other interface types, the interface identifier is generated through other means, for example, via random number generation. This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. Use of the extension causes nodes to generate global scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier. Changing the interface identifier (and the global scope addresses generated from it) over time makes it more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node.