Enable Raspbian Wheezy IPv6 Privacy Extensions
If you have activated IPv6 in Raspberry Pi (Raspbian Wheezy), then all IPv6 addresses are formed from the MAC address (hardware address). Unfortunately, it is always the same, which is why the client or host concerned can be identified by this address. For privacy reasons, that’s a problem.
That’s why with Privacy Extensions for IPv6, there’s an extension that protects privacy. However, this is not always automatically active when IPv6 is switched on or activated.
Of course, Privacy Extensions is only relevant if a router distributes a global prefix within the local network. Otherwise Privacy Extensions will remain inactive even if it is activated in the settings.
- Privacy Extensions (IPv6)
Under Raspbian Jessie, IPv6 is on by default and Privacy Extensions is enabled. The following tasks are for Raspbian Wheezy.
Note: There may be several reasons why Privacy Extensions is not active in spite of proper configuration. Privacy Extensions usually does not affect link-local addresses beginning with “fe80”. It does not become active even if no global prefix is distributed on the local network or if static IPv6 addresses have been configured for the network interfaces.
task
- Enable Privacy Extensions.
- Check if the privacy extension is active.
Solution 1 for Raspbian Wheezy
First, open a configuration file.
sudo nano /etc/sysctl.conf
Here you must insert the following entry:
# Enable IPv6 Privacy Extensions
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
This entry ensures that Privacy Extensions is activated for “all” network interfaces. If you do not want to enable Privacy Extensions for all, but only for selected interfaces, replace “all” with the name of the interface. For example “eth0” or “wlan0”.
Optionally, you can specify how long the temporary addresses generated by Privacy Extensions should be used (value in seconds). It is not discarded immediately, but a new temporary address is created and used for outgoing connections. The old one will be finally discarded later, if for a while no more traffic comes in at this address. This value can be additionally limited with a second value.
# Lifetime (86400 = 24h)
net.ipv6.conf.all.temp_prefered_lft = 86400
# set valid LifeTime (604800 sec = 7 days)
net.ipv6.conf.all.temp_valid_lft = 640800
Then save and close: Ctrl + O, Return, Ctrl + X.
After a restart, the Privacy Extensions should be active.
sudo reboot
A restart is not necessarily required. Reading in the system settings does it too.
sudo sysctl -p /etc/sysctl.conf
However, one should check in any case whether the interfaces have generated a temporary global IPv6 address.
ifconfig
Here, the corresponding interface should have a global IPv6 address. If not, no prefix will be distributed in the local network or Raspberry Pi has not gotten any yet. Here you have to wait maybe one or two minutes and then try again.
If Raspberry Pi then has a global IPv6 address, then there should be an additional global IPv6 address that has no traces of the MAC address. If this address does not exist then Privacy Extensions has not become active. Then you really have a problem!
Solution 2 for Raspbian Wheezy
First of all, check the existing network interfaces. Usually one works with “eth0” or “wlan0”. Here you look after the setting of Privacy Extensions.
sudo cat </proc/sys/net/ipv6/conf/eth0/use_tempaddr
Here the command line should output “2”. If not, then the default setting was not accepted. In this case you have to make the setting separately for each interface.
So again open the configuration file.
sudo nano /etc/sysctl.conf
Here you have to add the following entry additionally for “eth0”:
net.ipv6.conf.eth0.use_tempaddr = 2
And if a WLAN interface is also used for “wlan0”:
net.ipv6.conf.wlan0.use_tempaddr = 2
Then save and close: Ctrl + O, Return, Ctrl + X.
And of course, as usual, Reboot is doing well.
sudo reboot
After the restart you have to check again with “ifconfig”. If the settings have been applied, then there is also a global temporary IPv6 address, which is used for outgoing connections and changed regularly.
Solution 3 for Raspbian Wheezy (quick and dirty)
If it has not worked out yet, only the mallet method will help. It helps, but is “dirty”. To do this, open a configuration file:
sudo nano /etc/rc.local
Here you enter the following line before “exit 0”:
for IF in "/bin/ls/proc/sys/net/ipv6/conf/*/use_tempaddr"; do echo 2> $ IF; done
Then save, close and reboot.
I did this on my Raspberry Pi 2 adding lines to sysctl.conf.
Like so:
# Enable IPv6 Privacy Extensions
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
#
# Lifetime (86400 = 24h)
net.ipv6.conf.default.temp_prefered_lft = 86400
net.ipv6.conf.eth0.temp_prefered_lft = 86400
net.ipv6.conf.all.temp_prefered_lft = 86400
#
# set valid LifeTime (604800 sec = 7 days)
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.eth0.temp_valid_lft = 604800
net.ipv6.conf.all.temp_valid_lft = 604800
#
And the pi is generating and using a new temporary IPv6 addresses each day for outgoing connections as I wanted.
However it is not discarding addresses after 7 days!!
Is there something missing that’s needed to make it discard them?
as you can see here those settings will work for 7 days
# set valid LifeTime (604800 sec = 7 days)
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.eth0.temp_valid_lft = 604800
net.ipv6.conf.all.temp_valid_lft = 604800
#
try to add more valid to 604800 for example 1 day equal 86400
The Raspberry Pi has been running for a week now and eth0 now has over 40 global IPv6 addresses!
This can’t be right.
There must be some detail I’m missing.