Privacy Extension as described in RFC 4941 / Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (obsoleted RFC 3041) is replacing the static interface ID (mostly based on word-wide unique MAC address) used during autoconfiguration by a pseudo-random one and generating from time to time a new one deprecating the old one.
Enable privacy extension for e.g. interface ”eth0” and prefer the generated address:
# sysctl -w net.ipv6.conf.eth0.use_tempaddr=2
Afterwards, restart of the interface is necessary
# ip link set dev eth0 down # ip link set dev eth0 up
Once a router advertisement is received, the result should look like following
# ip -6 addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2001:db8:0:1:8992:3c03:d6e2:ed72/64 scope global secondary dynamic <- pseudo-random IID
valid_lft 604711sec preferred_lft 86311sec
inet6 2001:db8:0:1::224:21ff:fe01:2345/64 scope global <- IID based on MAC
valid_lft 604711sec preferred_lft 86311sec
...
For permanent activation, either a special initscript value per interface will enable privacy or an entry in the /etc/sysctl.conf file like
net.ipv6.conf.eth0.use_tempaddr=2
Note: interface must already exists with proper name when sysctl.conf is applied. If this is not the case (e.g. after reboot) one has to configure privacy for all interfaces by default:
net.ipv6.conf.all.use_tempaddr=2 net.ipv6.conf.default.use_tempaddr=2
Changed/added values in /etc/sysctl.conf can be activated during runtime, but at least an interface down/up or a reboot is recommended.
# sysctl -p
Modern (client) systems are using NetworkManager for configuring interfaces. A command line tool is built-in which can be used to change settings which are not available via GUI.
Examples based on version 0.9.9.1-5.git20140319.fc21
Check existing interfaces with:
# nmcli connection NAME UUID TYPE DEVICE ens4v1 d0fc2b2e-5fa0-4675-96b5-b723ca5c46db 802-3-ethernet ens4v1
Current amount of IPv6 privacy extension addresses can be checked with
# ip -o addr show dev ens4v1 | grep temporary | wc -l 0
Current IPv6 privacy extension settings can be checked with
# nmcli connection show ens4v1 |grep ip6-privacy ipv6.ip6-privacy: -1 (unknown)
Enable IPv6 privacy extension and restart interface
# nmcli connection modify ens4v1 ipv6.ip6-privacy 2 # nmcli connection down ens4v1; nmcli connection up ens4v1
New IPv6 privacy extension settings can be checked with
# nmcli connection show ens4v1 |grep ip6-privacy ipv6.ip6-privacy: 2 (active, prefer temporary IP)
Now IPv6 privacy extension addresses are configured on the interface
# ip -o addr show dev ens4v1 | grep temporary | wc -l 2
Whether the IPv6 address with an Interface ID generated by Privacy Extension is really used for outgoing connections, one can browse to http://ip.bieringer.de/, in case EUI64_SCOPE shows ”iid-privacy”, then everything is working fine.