search

systemd / systemd

The systemd System and Service Manager
https://systemd.io
GNU General Public License v2.0
13.05k stars 3.74k forks source link

RFC4941: configure IPv6PrivacyExtensions for specific prefixes #32087

Open BreiteSeite opened 5 months ago

BreiteSeite commented 5 months ago

Component

systemd-networkd

Is your feature request related to a problem? Please describe

When IPv6PrivacyExtensions is set to true for a specific interface, it generates temporary addresses for all global unicast addresses as well as for all unique local addresses (ULA). In my case, generating temporary unique local addresses is undesired.

Describe the solution you'd like

RFC 4941 in section 3.6 Deployment Considerations states:

Additionally, sites might wish to selectively enable or disable the use of temporary addresses for some prefixes. For example, a site might wish to disable temporary address generation for "Unique local" [ULA] prefixes while still generating temporary addresses for all other global prefixes. Another site might wish to enable temporary address generation only for the prefixes 2001::/16 and 2002::/16, while disabling it for all other prefixes. To support this behavior, implementations SHOULD provide a way to enable and disable generation of temporary addresses for specific prefix subranges.

So according to the RFC i think the following makes sense

Explicitly Enable Privacy Extensions Based On Prefixes

Maybe it makes sense to for IPv6PrivacyExtensions to not only accept a boolean but maybe also specific prefixes where temporary addresses should be generated for. true would continue meaning "all" and false would completely turn privacy extensions off (meaning IPv6PrivacyExtensionsIgnoredPrefixes would be silently ignored).

IPv6PrivacyExtensions=2001::/16 2003::/16

Explicitly Disable Privacy Extensions Based On Prefixes

Could be done for example like this: IPv6PrivacyExtensionsIgnoredPrefixes=fd00::/8 2002::/16 (not sure if it's the best name).

To be clear, for my use-case i would be fine with explicitly enabling privacy extensions for specific prefixes (by using IPv6PrivacyExtensions). I proposed both because that is closest to the quoted RFC section.

Alternative Version

Alternatively we could have a syntax (!-prefix to disable privacy extensions) like this: IPv6PrivacyExtensions=!fd00::/8 2001::/16 2003::/16

In which case privacy extensions would be enabled for 2001::/16 and 2003::/16 but disabled for fd00::/8 (prefixed with !). However, i'm not sure how intuitive/parseable this is.

The systemd version you checked that didn't have the feature you are asking for

254

yuwata commented 5 months ago

IPv6PrivacyExtensions= configures use_tempaddr sysctl attribute, and the attribute is per-interface, not per-address...

yuwata commented 5 months ago

Ah, maybe, you request something similar to ManageTemporaryAddress= in [Address] for dynamic addressing protocol, like NDisc?

BreiteSeite commented 5 months ago

IPv6PrivacyExtensions= configures use_tempaddr sysctl attribute, and the attribute is per-interface, not per-address...

I see. I thought this would use some kernel method but wasn't unsure which to dig deeper. So basically, this is a linux kernel limitation? If so i guess you can close this PR as not planned then as the real issue should be opened on the linux kernel side. I'm not comfortable with doing that currently as from the impressions i have is that they only accept contributions or bugs w/ patches. Not really sure if this could be considered a bug (incomplete RFC implementation). How the RFC is phrased i would assume this constitutes a feature.

Ah, maybe, you request something similar to ManageTemporaryAddress= in [Address] for dynamic addressing protocol, like NDisc?

No i don't think so. From what i understand is that with ManageTemporaryAddress= i can define the 64-bit interface identifier that is used for temporary address generation? This wouldn't be what i want.

Edit: also someone on reddit 4 years ago wondered the same.