2

IPv6 privacy extensions are defined in RFC 4941. From that I understand that the temporary interface identifier is not only chosen anew when the temporary lifetimes expire, but also when the link changes. RFC 4941 says:

3.3. Generating Temporary Addresses

[...] 3. When a new public address is created as described in [ADDRCONF], the node SHOULD also create a new temporary address.

and

3.5. Regeneration of Randomized Interface Identifiers

[...] Finally, when an interface connects to a new link, a new randomized interface identifier SHOULD be generated immediately together with a new set of temporary addresses.

It says "should", but in essence "should" = "must" unless you have a good reason for not obeying.

Now, playing with the THC IPv6 Toolkit, and in particular with fake_router26, I would expect that if you reset the interface and announce a different prefix, then this is - more or less - a new link. However, neither Windows 7 nor Linux seem to budge, both keep their existing temporary interface identifier.

Am I missing something, or do I have to arrange the experiment differently? Keeping the same interface identifier across various prefixes renders privacy extensions pretty useless...

Community
  • 1
countermode
  • 931
  • Sorry for asking the obvious, but are the privacy extensions enabled (completely)? In Linux, check sysctl and in Windows use netsh to verify. RFC 4941 recommends turning them off by default, but some OSes are somewhere in between on and off by default. How do you verify the addresses? –  Aug 06 '14 at 09:12
  • No problem. Yes, they are: net.ipv6.conf.enp2s1.use_tempaddr = 2. – countermode Aug 06 '14 at 09:39
  • Addresses are verified with ip (Linux) and ipconfig (Windows). ~ Update for Windows: Deactivating the link entirely and then activating seems to help. – countermode Aug 06 '14 at 09:41

1 Answers1

2

One has to unplug the link (physical or virtual). Just taking the interface down does not do. After replugging the temporary interface identifier changes (Linux and Windows).

I cannot try that here, but I guess for wifi it's the same, i.e. if you are connected to one WLAN and connect to a different WLAN, then the temporary interface identifier should change as well.

countermode
  • 931