ipcontext: Random temporary IPv6 for every container

[stoically]

Part of https://github.com/stoically/temporary-containers/issues/417

This is experimental, use at your own risk. Also there's no cleanup yet for created IPv6 addresses, so you'd have to manually do that with e.g. the ip command.

Todo

• [ ] Add storage (rusqlite / sqlx) so container assigned IPs survive restarts/reloads
• [ ] Check for cap NET_ADMIN on start
• [ ] Provide control port (hyper?) or native messaging capability to check from TC whether ipv6 subnet/mngtmpaddr is available and to get a random port
• [ ] Listen for ip changes on interface
• [ ] Username as extension UUID, password as byte encoded information (context id)
• [ ] Keep track of which ipversion was seen first for a container
• [ ] Monitor link UP/DOWN and re-add addresses (also needed for standby wakeup)
• [ ] Improve logging (show when container is assigned to add_routing)
• [ ] Check whether ipv6 loopback is enabled on distros
• [ ] Isolate first party domains on top of containers, so that ipv4 only always works
• [ ] Detect existing ipv4/ipv6 tabs when add-on initializes
• [ ] Check whether it's possible to get new subnets from the router (/64 different from the current device)
• [ ] Compare neli to rtnetlink
• [ ] Change tests to automatically add mngtmpaddr to the interface by adding IFA_F_MANAGETEMPADDR to the IFA_FLAGS in netlink.handle.address().add().addr_add_request.message_mut().nlas

[bakulf]

I have spent a few days investigating this proposal. I think this is extremely interesting but, this is not a "perfect" solution because a tracker website can simply use the subnet instead of the full IP to identify the user. The subnet is unique and it's not shared between users. Because of this, it doesn't nullify the tracking vector attack via IP address.

[stoically]

Thanks for looking into it @bakulf! I agree that it isn't an actual solution against tracking, I personally see it merely as "a bit better than just a single IP". Also mentioned the subnet tracking in #417 - though, it'd be kinda interesting to know how trackers actually handle that in the wild. Do you happen to have information on that?

[stoically]

Closing as I won't finish this ever.