Mailing List Archive

On 2016-12-14 11:55, Holger Zuleger wrote:
> Hi,
>
> I just realized that the permanent interface identifier of my MAC has
> changed after upgrading to OS 10.12 (I guess).
>
> The output of ifconfig shows a new "secured" flag at the permanent address.
> $ ifconfig en0 | grep inet6 | \
>> sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
>
> I found two or three posts in the internet, all mentioning (or hoping)
> that this is related to a change to RFC7217 as default IID mechanism.
>
> But one guy sad, that the source code (of 10.11) shows, that this is a
> cryptographic generated interface identifier for SeND (RFC3971).
>
> I tend to believe that the latter is true.

Seeing how Apple implemented things like "Happy Eyeballs" it likely is
neither. And in the case of "Happy Eyeballs" there is no way to turn it
off either. Filing radar bugs clearly does not help as they never get
addressed or marked as 'dupe' at which point you do not know the status
of the 'original' problem and well, nothing happens...

> Has anyone more information about this? Especially how to configure it?

The only trick I found out was:

https://twitter.com/tweetsix/status/778615624444571649
8<-------
Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
stored the setting in /etc/sysctl.conf) recently? ;)
--------->8

As then you only get the DHCPd address (requires DHCPv6 server....) on
your interface and not all the other magic ones that change all the time
and are extremely useless if you want to ADDRESS a host...
(yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)


There are claimed 'good' properties of a changing address but mostly
they are useless: "it works against tracking" which is useless if your
/48 is static and there are only ~10 hosts in that prefix that call
outbound. Also, something with HTTP Cookies for 99% of the other things.
And I am really not lugging my 27" iMac around to get it in another
network....


Hence, a switch to turn if off.... would be amazing.
The above trick kinda does that though and it mostly seem to work.


With the trend that Apple is taking with their hardware line that
actually runs OSX ehmm MacOS, it seems that swapping platforms is a
likely next step for a lot of people...

2016 was supposed to be the year of IPv6 (201_IPv_6), which indeed
worked a wee bit, but maybe 2026 is the actual goal of many companies;
thus maybe 2017 is going to be the year of Linux on the Desktop? :)


Anybody already coded up a Little Snitch equiv for OpenBSD? :)

Greets,
Jeroen

> On 14 Dec 2016, at 10:55, Holger Zuleger <Holger.Zuleger@hznet.de> wrote:
>
> Hi,
>
> I just realized that the permanent interface identifier of my MAC has
> changed after upgrading to OS 10.12 (I guess).
>
> The output of ifconfig shows a new "secured" flag at the permanent address.
> $ ifconfig en0 | grep inet6 | \
>> sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
>
> I found two or three posts in the internet, all mentioning (or hoping)
> that this is related to a change to RFC7217 as default IID mechanism.
>
> But one guy sad, that the source code (of 10.11) shows, that this is a
> cryptographic generated interface identifier for SeND (RFC3971).
>
> I tend to believe that the latter is true.
> Has anyone more information about this? Especially how to configure it?
>

man ifconfig says:

" insecure
Disable the processing of Secure Neighbor Discovery (SEND).

-insecure
Do not disabled the processing of Secure Neighbor Discovery
(SEND).”

Mat

Hi Jeroen,

>> I found two or three posts in the internet, all mentioning (or hoping)
>> that this is related to a change to RFC7217 as default IID mechanism.
>>
>> But one guy sad, that the source code (of 10.11) shows, that this is a
>> cryptographic generated interface identifier for SeND (RFC3971).
>>
>> I tend to believe that the latter is true.
>
> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
> neither. And in the case of "Happy Eyeballs" there is no way to turn it
> off either. Filing radar bugs clearly does not help as they never get
> addressed or marked as 'dupe' at which point you do not know the status
> of the 'original' problem and well, nothing happens...


>> Has anyone more information about this? Especially how to configure it?
>
> The only trick I found out was:
>
> https://twitter.com/tweetsix/status/778615624444571649
> 8<-------
> Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
> stored the setting in /etc/sysctl.conf) recently? ;)
> --------->8
To be honest, that's definitively is not the way I like to go.

> As then you only get the DHCPd address (requires DHCPv6 server....) on
> your interface and not all the other magic ones that change all the time
> and are extremely useless if you want to ADDRESS a host...
> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
Oh no, DHCPv6 is not needed here.

The problem is *not* that this IID is changing. It is a stable one. And
yes, I vote not against temporary addresses.

> There are claimed 'good' properties of a changing address but mostly
> they are useless: "it works against tracking" which is useless if your
> /48 is static and there are only ~10 hosts in that prefix that call
> outbound. Also, something with HTTP Cookies for 99% of the other things.
> And I am really not lugging my 27" iMac around to get it in another
> network....
>
> Hence, a switch to turn if off.... would be amazing.
> The above trick kinda does that though and it mostly seem to work.
My info is, to set
sysctl -w net.inet6.send.opstate=0
to go back to mac address based eui64, but didn't checked it.

There is another sysctl parameter (opmode) but unclear what 1 (or 0) means:
$ sysctl net.inet6.send
net.inet6.send.opstate: 1
net.inet6.send.opmode: 1

Thanks
Holger

Thanks Mat,

> man ifconfig says:
>
> " insecure
> Disable the processing of Secure Neighbor Discovery (SEND).
>
> -insecure
> Do not disabled the processing of Secure Neighbor Discovery
> (SEND).”
I thought, that "secured" means, that -insecure is set.

But looking at the NA/NS messages I don't find any CGA options and the
rest which is needed for send.

Holger

Hi,

> On 14 Dec 2016, at 11:08, Jeroen Massar <jeroen@massar.ch> wrote:
>
> On 2016-12-14 11:55, Holger Zuleger wrote:
>> Hi,
>>
>> I just realized that the permanent interface identifier of my MAC has
>> changed after upgrading to OS 10.12 (I guess).
>>
>> The output of ifconfig shows a new "secured" flag at the permanent address.
>> $ ifconfig en0 | grep inet6 | \
>>> sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
>> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
>> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
>> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
>>
>> I found two or three posts in the internet, all mentioning (or hoping)
>> that this is related to a change to RFC7217 as default IID mechanism.
>>
>> But one guy sad, that the source code (of 10.11) shows, that this is a
>> cryptographic generated interface identifier for SeND (RFC3971).
>>
>> I tend to believe that the latter is true.
>
> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
> neither. And in the case of "Happy Eyeballs" there is no way to turn it
> off either. Filing radar bugs clearly does not help as they never get
> addressed or marked as 'dupe' at which point you do not know the status
> of the 'original' problem and well, nothing happens...

Interesting - I’d also assumed the new form of address was RFC 7217 support. I don’t think any other common OS implements SeND, does it?

Tim

On 2016-12-14 12:25, Holger Zuleger wrote:
> Hi Jeroen,
>
>>> I found two or three posts in the internet, all mentioning (or hoping)
>>> that this is related to a change to RFC7217 as default IID mechanism.
>>>
>>> But one guy sad, that the source code (of 10.11) shows, that this is a
>>> cryptographic generated interface identifier for SeND (RFC3971).
>>>
>>> I tend to believe that the latter is true.
>>
>> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
>> neither. And in the case of "Happy Eyeballs" there is no way to turn it
>> off either. Filing radar bugs clearly does not help as they never get
>> addressed or marked as 'dupe' at which point you do not know the status
>> of the 'original' problem and well, nothing happens...
>
>
>>> Has anyone more information about this? Especially how to configure it?
>>
>> The only trick I found out was:
>>
>> https://twitter.com/tweetsix/status/778615624444571649
>> 8<-------
>> Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
>> stored the setting in /etc/sysctl.conf) recently? ;)
>> --------->8
> To be honest, that's definitively is not the way I like to go.
>
>> As then you only get the DHCPd address (requires DHCPv6 server....) on
>> your interface and not all the other magic ones that change all the time
>> and are extremely useless if you want to ADDRESS a host...
>> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
> Oh no, DHCPv6 is not needed here.

Until Sierra, I didn't have any DHCPv6 either... but now I do because I
really love my static and known addresses. People know I have a Mac
anyway, thus what info am I losing there?

> The problem is *not* that this IID is changing. It is a stable one. And
> yes, I vote not against temporary addresses.

Actually, it is not a stable address as some have found out (read:
anecdotal), they also change at re-install and there are a couple of
other possibilities from what I recall.

Unfortunately, documentation about all of this is completely lacking...

The maxifprefixes does what it needs to do for me: only allow using of
DHCPv6'd addresses.

But indeed, that was a pure guess to enable that.

>> There are claimed 'good' properties of a changing address but mostly
>> they are useless: "it works against tracking" which is useless if your
>> /48 is static and there are only ~10 hosts in that prefix that call
>> outbound. Also, something with HTTP Cookies for 99% of the other things.
>> And I am really not lugging my 27" iMac around to get it in another
>> network....
>>
>> Hence, a switch to turn if off.... would be amazing.
>> The above trick kinda does that though and it mostly seem to work.
> My info is, to set
> sysctl -w net.inet6.send.opstate=0
> to go back to mac address based eui64, but didn't checked it.
>
> There is another sysctl parameter (opmode) but unclear what 1 (or 0) means:
> $ sysctl net.inet6.send
> net.inet6.send.opstate: 1
> net.inet6.send.opmode: 1

There is no documentation at all about these things, hence, nothing one
can say about it, except begging Apple to finally document stuff.

google("net.inet6.send.opstate") has 76 hits, going back to 2014-ish,
and those switches where in El Capitan (10.9) already.

The change with random addresses came with Sierra though as Iljitsch
wrote here:

http://arstechnica.com/apple/2016/09/macos-10-12-sierra-the-ars-technica-review/6/#h3

Greets,
Jeroen

> Interesting - I’d also assumed the new form of address was RFC 7217
Yes, especially as draft-ietf-6man-default-iids recommends this as
default generation scheme.

> support. I don’t think any other common OS implements SeND, does it?
Not that I'm aware of, so I was on the way to bury the idea of secure
neighbor discovery.

It seems that some implementation for Linux exist, and also an Windows
Application (see page 23 on
http://www.rmv6tf.org/wp-content/uploads/2012/11/IPv6_SeND_PPT1.pdf)

Holger

On 2016-12-14 12:40, Jeroen Massar wrote:
[..]
>> There is another sysctl parameter (opmode) but unclear what 1 (or 0) means:
>> $ sysctl net.inet6.send
>> net.inet6.send.opstate: 1
>> net.inet6.send.opmode: 1
>
> There is no documentation at all about these things, hence, nothing one
> can say about it, except begging Apple to finally document stuff.

Maybe this is the 'closest' to documentation: the source:

https://github.com/opensource-apple/xnu/blob/27ffc00f33925b582391b1ef318b78b8bd3939d1/bsd/netinet6/nd6_send.c

This is an older dump though.

Not a single mention of a RFC in there, but they are talking about
"SEND" (Not SeND") and there are CGA parameters in there which are not
exposed.

Apparently one needs "#if CONFIG_MACF" which we do not have...

Hence, I can only guess that that code is not active yet, at least in
that ancient version.

Thus lets peek at:
https://opensource.apple.com/tarballs/xnu/xnu-3248.60.10.tar.gz

mmm while I have:
root:xnu-3789.21.3~60/RELEASE_X86_64 x86_64

Thus 500 something behind....

In that tarball, look at bsd/netinet6/

Same file still there. Thus: nothing changed in that timeframe
concerning send.

Though, as various of the dumps show, opmode/state has changed to '1'
somewhere.

Maybe this is thus part of those last 500 changes?


in6.c has:
8<-------------------
if (optdad) {
if ((optdad & ND6_OPTIMISTIC_DAD_LINKLOCAL) &&
IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr))
flags = IN6_IFF_OPTIMISTIC;
else if ((optdad & ND6_OPTIMISTIC_DAD_AUTOCONF) &&
(ia->ia6_flags & IN6_IFF_AUTOCONF)) {
if (ia->ia6_flags & IN6_IFF_TEMPORARY) {
if (optdad & ND6_OPTIMISTIC_DAD_TEMPORARY)
flags = IN6_IFF_OPTIMISTIC;
} else if (ia->ia6_flags & IN6_IFF_SECURED) {
if (optdad & ND6_OPTIMISTIC_DAD_SECURED)
flags = IN6_IFF_OPTIMISTIC;
} else {
/*
* Keeping the behavior for temp and CGA
* SLAAC addresses to have a knob for
optimistic
* DAD.
* Other than that if
ND6_OPTIMISTIC_DAD_AUTOCONF
* is set, we should default to optimistic
* DAD.
* For now this means SLAAC addresses
with interface
* identifier derived from modified
EUI-64 bit
* identifiers.
*/
flags = IN6_IFF_OPTIMISTIC;
}
------------>8

Which is likely related.... but that was also in the old github edition
already...

Hence, we are still none the wiser here.

Greets,
Jeroen

[..]
> Actually, it is not a stable address as some have found out (read:
> anecdotal), they also change at re-install and there are a couple of
> other possibilities from what I recall.

>From xnu-3248.60.10/bsd/netinet6/in6_ifattach.c:

8<--------------------
/*
* Generate a last-resort interface identifier, when the machine has no
* IEEE802/EUI64 address sources.
* The goal here is to get an interface identifier that is
* (1) random enough and (2) does not change across reboot.
* We currently use SHA1(hostname) for it.
*
* in6 - upper 64bits are preserved
*/
get_rand_iid(
------------------->8

So good luck when you get a hostname over DHCP :)

There are some other comments there that could be enlightening, but this
code definitely does not match the released code, it is running behind
quite a bit.

Greets,
Jeroen

On 2016-12-14 13:10, Jeroen Massar wrote:
> [..]
>> Actually, it is not a stable address as some have found out (read:
>> anecdotal), they also change at re-install and there are a couple of
>> other possibilities from what I recall.
>
> From xnu-3248.60.10/bsd/netinet6/in6_ifattach.c:

And after finding 10.12.1 sources (note that is not 10.12.2 which is out):

There is a lot more SEND/CGA/"LLCGA" related stuff in here:

https://opensource.apple.com/source/xnu/xnu-3789.21.4/bsd/netinet6/in6_ifattach.c.auto.html

eg:

in6_ifattach_llcgareq has:

if (nd6_send_opstate == ND6_SEND_OPMODE_DISABLED)
return (ENXIO);

Thus maybe one can disable it, if sysctl.conf has it disabled at
boot...... lets find out :)

Greets,
Jeroen

Holger Zuleger <Holger.Zuleger@hznet.de> writes:

> It seems that some implementation for Linux exist, and also an Windows
> Application (see page 23 on
> http://www.rmv6tf.org/wp-content/uploads/2012/11/IPv6_SeND_PPT1.pdf)

And the slides lead to:

https://github.com/TrustRouter/TrustRouter

"TrustRouter will be available as a one-click solution that can be
installed on clients running Linux, Mac OS X, and Windows. In addition
to that, TrustRouter will also be integrated in the router advertisement
daemon radvd."

Latest commit c7baeab on 18 Apr 2012

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@quux.de | --------------- |
----------------------------------------------------------------------------

On 2016-12-14 13:26, Jeroen Massar wrote:
> On 2016-12-14 13:10, Jeroen Massar wrote:
>> [..]
>>> Actually, it is not a stable address as some have found out (read:
>>> anecdotal), they also change at re-install and there are a couple of
>>> other possibilities from what I recall.
>>
>> From xnu-3248.60.10/bsd/netinet6/in6_ifattach.c:
>
> And after finding 10.12.1 sources (note that is not 10.12.2 which is out):
>
> There is a lot more SEND/CGA/"LLCGA" related stuff in here:
>
> https://opensource.apple.com/source/xnu/xnu-3789.21.4/bsd/netinet6/in6_ifattach.c.auto.html
>
> eg:
>
> in6_ifattach_llcgareq has:
>
> if (nd6_send_opstate == ND6_SEND_OPMODE_DISABLED)
> return (ENXIO);
>
> Thus maybe one can disable it, if sysctl.conf has it disabled at
> boot...... lets find out :)

$ sysctl -a |grep opmode
net.inet6.send.opmode: 0
$ sysctl -a |grep opstate
net.inet6.send.opstate: 0
$ sysctl -a |grep maxif
net.inet6.ip6.maxifprefixes: 16
net.inet6.ip6.maxifdefrouters: 16

and have nice static or DHCP-assigned addresses without the silly
randomness...

Thus summary:

$ cat /etc/sysctl.conf
net.inet6.ip6.prefer_tempaddr=0
net.inet6.ip6.use_tempaddr=0
net.inet6.send.opmode=0

First too disable silly random addresses (same /48, thus how many people
can that be);

net.inet6.send.opmode=0 disables the CGA-Link-Local-Address and thus
also the global random address.

Noting that this works on 10.12.2 (
root:xnu-3789.31.2~1/RELEASE_X86_64), but as per code likely also in
10.12 aka MacOS Sierra.

Iljitsch, maybe a good thing to update on:
http://arstechnica.com/apple/2016/09/macos-10-12-sierra-the-ars-technica-review/6/#h3 ?

that it can be disabled this way :)

Greets,
Jeroen
(now pushing out new sysctl.conf to all other boxes ;)

On 14 Dec 2016, at 11:45, Holger Zuleger wrote:

>> support. I don’t think any other common OS implements SeND, does
>> it?
> Not that I'm aware of, so I was on the way to bury the idea of secure
> neighbor discovery.
>
> It seems that some implementation for Linux exist, and also an Windows
> Application (see page 23 on
> http://www.rmv6tf.org/wp-content/uploads/2012/11/IPv6_SeND_PPT1.pdf)

FreeBSD has been shipping with the SeND implementation bits in the
kernel for years (since 2010?) now. Ana Kukec did that. And there’s
a port for user space bits.

The WinSeND work read a lot like Ana’s paper back then but I have no
idea about the code.

I am happy that half a decade later support for SeND does spread across
the OSes.
/bz

On 12/14/2016 08:08 AM, Jeroen Massar wrote:
> On 2016-12-14 11:55, Holger Zuleger wrote:
>> Hi,
[....]
>
> As then you only get the DHCPd address (requires DHCPv6 server....) on
> your interface and not all the other magic ones that change all the time
> and are extremely useless if you want to ADDRESS a host...
> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
>
>
> There are claimed 'good' properties of a changing address but mostly
> they are useless: "it works against tracking" which is useless if your
> /48 is static and there are only ~10 hosts in that prefix that call
> outbound. Also, something with HTTP Cookies for 99% of the other things.
> And I am really not lugging my 27" iMac around to get it in another
> network....

If it actualy is RFC7217, then they d not change within the same network
-- for instance, RFC7217 was/is known in 6man circles as "stable-privacy
addresses").

Thanks!

Best regards,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

On 12/14/2016 08:25 AM, Holger Zuleger wrote:
>>> Has anyone more information about this? Especially how to configure it?
>>
>> The only trick I found out was:
>>
>> https://twitter.com/tweetsix/status/778615624444571649
>> 8<-------
>> Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
>> stored the setting in /etc/sysctl.conf) recently? ;)
>> --------->8
> To be honest, that's definitively is not the way I like to go.
>
>> As then you only get the DHCPd address (requires DHCPv6 server....) on
>> your interface and not all the other magic ones that change all the time
>> and are extremely useless if you want to ADDRESS a host...
>> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
> Oh no, DHCPv6 is not needed here.
>
> The problem is *not* that this IID is changing. It is a stable one. And
> yes, I vote not against temporary addresses.
>
>> There are claimed 'good' properties of a changing address but mostly
>> they are useless: "it works against tracking" which is useless if your
>> /48 is static and there are only ~10 hosts in that prefix that call
>> outbound. Also, something with HTTP Cookies for 99% of the other things.
>> And I am really not lugging my 27" iMac around to get it in another
>> network....
>>
>> Hence, a switch to turn if off.... would be amazing.
>> The above trick kinda does that though and it mostly seem to work.
> My info is, to set
> sysctl -w net.inet6.send.opstate=0
> to go back to mac address based eui64, but didn't checked it.

Please don't resort to eui64. That's a bad idea. See RFC7721 and RFC707

Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

On 12/14/2016 08:31 AM, Tim Chown wrote:
> Hi,
>
>> On 14 Dec 2016, at 11:08, Jeroen Massar <jeroen@massar.ch> wrote:
>>
>> On 2016-12-14 11:55, Holger Zuleger wrote:
>>> Hi,
>>>
>>> I just realized that the permanent interface identifier of my MAC has
>>> changed after upgrading to OS 10.12 (I guess).
>>>
>>> The output of ifconfig shows a new "secured" flag at the permanent address.
>>> $ ifconfig en0 | grep inet6 | \
>>>> sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
>>> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
>>> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
>>> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
>>>
>>> I found two or three posts in the internet, all mentioning (or hoping)
>>> that this is related to a change to RFC7217 as default IID mechanism.
>>>
>>> But one guy sad, that the source code (of 10.11) shows, that this is a
>>> cryptographic generated interface identifier for SeND (RFC3971).
>>>
>>> I tend to believe that the latter is true.
>>
>> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
>> neither. And in the case of "Happy Eyeballs" there is no way to turn it
>> off either. Filing radar bugs clearly does not help as they never get
>> addressed or marked as 'dupe' at which point you do not know the status
>> of the 'original' problem and well, nothing happens...
>
> Interesting - I’d also assumed the new form of address was RFC 7217 support. I don’t think any other common OS implements SeND, does it?

Can anyone verify that:

1) As you disconnect and subsequently reconnect to the same network, the
address is formed with the same IID?

2) When multiple prefixes ad advertised on the same network, each
resulting address (for each different prefix) employs a different IID?

3) If multiple interfaces (NICs) are connected to the same subnet, each
obtains a different address, plus "1)" and "2)" above are true?

Thanks!

Cheers,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

On 12/14/2016 08:40 AM, Jeroen Massar wrote:
> On 2016-12-14 12:25, Holger Zuleger wrote:
>> Hi Jeroen,
>>
>>>> I found two or three posts in the internet, all mentioning (or hoping)
>>>> that this is related to a change to RFC7217 as default IID mechanism.
>>>>
>>>> But one guy sad, that the source code (of 10.11) shows, that this is a
>>>> cryptographic generated interface identifier for SeND (RFC3971).
>>>>
>>>> I tend to believe that the latter is true.
>>>
>>> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
>>> neither. And in the case of "Happy Eyeballs" there is no way to turn it
>>> off either. Filing radar bugs clearly does not help as they never get
>>> addressed or marked as 'dupe' at which point you do not know the status
>>> of the 'original' problem and well, nothing happens...
>>
>>
>>>> Has anyone more information about this? Especially how to configure it?
>>>
>>> The only trick I found out was:
>>>
>>> https://twitter.com/tweetsix/status/778615624444571649
>>> 8<-------
>>> Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
>>> stored the setting in /etc/sysctl.conf) recently? ;)
>>> --------->8
>> To be honest, that's definitively is not the way I like to go.
>>
>>> As then you only get the DHCPd address (requires DHCPv6 server....) on
>>> your interface and not all the other magic ones that change all the time
>>> and are extremely useless if you want to ADDRESS a host...
>>> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
>> Oh no, DHCPv6 is not needed here.
>
> Until Sierra, I didn't have any DHCPv6 either... but now I do because I
> really love my static and known addresses. People know I have a Mac
> anyway, thus what info am I losing there?
>
>> The problem is *not* that this IID is changing. It is a stable one. And
>> yes, I vote not against temporary addresses.
>
> Actually, it is not a stable address as some have found out (read:
> anecdotal), they also change at re-install and there are a couple of
> other possibilities from what I recall.

One might argue that a reinstall results in a conceptualy different
system. The fact that the underlying hardware is tha same is anecdotical.

Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

On 12/14/2016 05:07 PM, Bjoern A. Zeeb wrote:
> On 14 Dec 2016, at 11:45, Holger Zuleger wrote:
>
>>> support. I don’t think any other common OS implements SeND, does it?
>> Not that I'm aware of, so I was on the way to bury the idea of secure
>> neighbor discovery.
>>
>> It seems that some implementation for Linux exist, and also an Windows
>> Application (see page 23 on
>> http://www.rmv6tf.org/wp-content/uploads/2012/11/IPv6_SeND_PPT1.pdf)
>
> FreeBSD has been shipping with the SeND implementation bits in the
> kernel for years (since 2010?) now. Ana Kukec did that. And there’s a
> port for user space bits.
>
> The WinSeND work read a lot like Ana’s paper back then but I have no
> idea about the code.
>
> I am happy that half a decade later support for SeND does spread across
> the OSes.

Hopefully all this SeND machinery is not being pushed in as a
heavyweight RFC7217. You don't need all the certs-related stuff for
getting a non-predictable stable-per-network IID.

Thanks!

Cheers,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1