Web security: Default IPv6 privacy disabled in antiX ?

Forum Forums Official Releases antiX-23 “Arditi del Popolo Web security: Default IPv6 privacy disabled in antiX ?

  • This topic has 26 replies, 6 voices, and was last updated May 20-10:27 am by twntrelwn.
Viewing 15 posts - 1 through 15 (of 27 total)
  • Author
    Posts
  • #139915
    Member
    Robin

      My ISP has migrated me from ipv4 to ipv6 last days, meaning three days without any phone or internet connection. They have “modernised” their net (I set this into parenthesis, since they didn’t switch from copper to fibre but instead from old-school copper dsl to old-school vectoring copper dsl, so I get max. 1,8 MB/sec now instead of 1,2 MB/sec before. Not really an improvement. Not sure why they did it at all: Actually nothing was modernised.) Not completely sure about this ipv6 thing, since it seems I have two external IPs now, one is still ipv4 and the other one is ipv6 when asking whatsmyip sites. But editing e.g. in wikipedia shows up with an ipv4 entry still. No idea how they do manage this, and when the ipv4 and when the ipv6 address will be used.

      So I had to read about ipv6, and had to learn this protocol breaks privacy when connecting your device, even when behind a router: In IPv6 you are unique trackable across the world wide web by the unique machine identifier address assigned. NAT no longer protects you. So I checked this after the migration was completed, in the connman GUI of antiX 23.1

      Result: See screenshot below.

      Actually in default antiX 23.1 the ipv6 privacy is disabled. This is a Super-GAU, a no-go. @anticapitalista: Please, could this be changed in future antiX ISOs to have ipv6 privacy enabled by default? Otherwise all the trouble with setting up the antiX Addblock in hosts file doesn’t make much sense. Users with this setting disabled are easily world wide trackable, simply by their unique and static part in their IP, generated from the fixed hardware ethernet identifier key. This security flaw also permits vendor-specific attack strategies, so it’s a stern issue, not just a petitesse.

      Hey, even Windows XP SP1 defaults to temporary address generation for precisely that security and tracking reason. And now I accidentally find antiX failing on that? Well, I had no chance to detect if before, since providers in our country used to facilitate ipv4 until now.

      Meanwhile I tried to figure how to manually enable this privacy feature properly in antiX, but still have no clue.

      From https://manpages.debian.org/stretch/connman/connman-service.config.5.en.html you can learn there is a RFC allowing to re-enable the former ipv4 level of privacy again:

      IPv6.Privacy=disabled | enabled | preferred
          IPv6 privacy settings as per RFC3041.

      I wonder whether this is the proper approach, since the RFC for SLAAC protocol privacy is RFC4941, not 3041…

      Default way to set it up recommended by most sites in internet needs systemd. Only from archlinux you can learn there are some more methods available, one of them dealing specifically with connman, so that method should be fine for antiX:
      https://wiki.archlinux.org/title/IPv6#Privacy_extensions

      But it seems on antiX I can’t do the recommended modification:
      – The Connman GUI doesn’t provide a checkbox to enable the ipv6 privacy (or do I simply overlook it?)
      – The file /var/lib/connman/service/settings doesn’t exist in antiX.
      – Clicking the “Modify Service File” entry in Connman system tray GUI Preferences Tab wouldn’t show or allow to select a settings file.

      Another site reccommends to add the string privext 2 to the /etc/network/interfaces file.
      But this file reads explicitly: # Used by ceni but not by connman.

      So, what is the proper way to do it in antiX, particularly antiX 23.1 full runit (32 and 64 bit both)?

      Next question is: When and how often the unique identifier value will be changed then once this feature is activated? (in the ipv4 universe the machine isn’t visible in the open www at all, only the router address was visible, and this is reassigned every 24 hours automatically by the ISP, so there was no privacy issue). To provide the same level of privacy the ipv6 machine identifier must be changed at least every 24 hours now in the ipv6 universe. How to do this? Or will it occur automatically? Does it need a reboot every day or will it work automatically on the fly?

      All kind of input, and the proper path how to deal with this in antiX, is welcome!

      ————————-
      Further reading:
      https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac/
      https://en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC)
      https://en.wikipedia.org/wiki/IPv6_address#Temporary_addresses

      Windows is like a submarine. Open a window and serious problems will start.

      #139925
      Member
      abc-nix

        I think this is something you enable with sysctl

        Check your /etc/sysctl.conf file. Based on this article, this is where you need to change things for ipv4/6 options.

        So, based on the above article, to enable ipv6 privacy, you would add

        net.ipv6.conf.all.use_tempaddr=2
        net.ipv6.conf.default.use_tempaddr=2
        • This reply was modified 1 month ago by abc-nix.
        #139927
        Member
        Robin

          Update:

          Actually I have overlooked the IPv6 privacy setting in the Connman GUI. It is there. It is not in the “Preferences” tab, but available from within the “Details” tab, after selecting the network device from the pulldown at top of the tab, and then clicking the button “Configuration” in the lower right corner. This brings up a new window named “Config editor”, from wich the IPv6 tab contains a pulldown allowing the selection of “disabled/preferred/enabled” for the property “privacy”. After changing the entry from “disabled” to “enabled” and accepting with “OK” the IP is changed immediately, no longer bound to the Hardware MAC of the network interface device.

          @anticapitalista and dev team: Please make this the default in antiX. Privacy must be set to “enabled” by default, not to “disabled”.

          ———–
          P.S.: Many thanks @Abc-nix, I saw your posting with the manual config method only after having found and written about the GUI way herein. I still wonder how and when the address will be changed now automatically.

          • This reply was modified 1 month ago by Robin. Reason: PS

          Windows is like a submarine. Open a window and serious problems will start.

          #139929
          Member
          abc-nix

            The file /var/lib/connman/service/settings doesn’t exist in antiX.

            You need to replace “service” with the access-point ID (if you ever used connmanctl you will realise what this is).

            #139944
            Forum Admin
            anticapitalista

              antiX basically uses the Debian default /etc/sysctl.conf file

              If you compare them, there is nothing in either about

              net.ipv6.conf.all.use_tempaddr=2
              net.ipv6.conf.default.use_tempaddr=2

              Re connman – we basically ship with Debian’s but remove reliance on systemd/elogind and add runit services.
              The only change is in /var/lib/connman/settings (as suggested by an antiX user):

              [global]
              OfflineMode=false
              TimeUpdates=manual
              TimezoneUpdates=auto
              [Wired]
              Enable=true
              Tethering=false
              [WiFi]
              Enable=true
              Tethering=false

              Philosophers have interpreted the world in many ways; the point is to change it.

              antiX with runit - leaner and meaner.

              #139955
              Member
              Robin

                Interim update:

                As said, the Connman GUI displays properly the changed v6 IP, no longer trackable after activating the IPv6 privacy extension in Connman system tray GUI. This seems to take effect immediately. Restarted the network interface in the Connman GUI and the temporary IP survives this.

                Rechecked the IP detected by a whatsmyip site. Result: These sites still see the trackable v6 IP for some strange reason, containing the static hardware MAC address. Even after physically disconnecting the cable and powering down the interface in connman, and replugging and restarting the interface doesn’t change this. In Connman GUI only the proper temporary IP is displayed, but actually in the internet the trackable IP is propagated. Not sure what to think of it.

                Futher investigation:

                $ ifconfig
                eth0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
                        inet 192.168.178.24  netmask 255.255.255.0  broadcast 192.168.178.255
                        inet6 2001:0c19:a007:fc00:afc7:3dff:fe00:f127  prefixlen 64  scopeid 0x0<global>
                        inet6 2001:0c19:a007:fc00:30c6:81f9:2441:56dd  prefixlen 64  scopeid 0x0<global>
                        inet6 fe10::afc7:3dff:fe00:f127  prefixlen 64  scopeid 0x20<link>
                        ether af:c7:3d:00:f1:27  txqueuelen 1000  (Ethernet)
                        RX packets 1195046696  bytes 1726511193632 (1.5 TiB)
                        RX errors 0  dropped 8340  overruns 0  frame 0
                        TX packets 643092738  bytes 43769623496 (40.7 GiB)
                        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                Here now seems to be the reason: The interface has got assigned three inet6 addresses, two of them marked <global> and one marked as <link>, whatever these marks mean. Obviously the trackable IP is in use, even when the other one is present.

                You need to replace “service” with the access-point ID (if you ever used connmanctl you will realise what this is).

                Checking this file:

                $ sudo cat /var/lib/connman/ethernet_afc73d00f127_cable/settings
                [ethernet_afc73d00f127_cable]
                Name=Wired
                AutoConnect=true
                Modified=2024-04-19T13:18:37Z
                IPv4.method=dhcp
                IPv4.DHCP.LastAddress=192.168.178.24
                IPv6.method=auto
                IPv6.privacy=enabled
                IPv6.DHCP.DUID=000100012db63917afc73d00f127

                IPv6.privacy is enabled in this file after changing the respective setting in the GUI.

                When closing and reopening the Connman tray GUI, the Privacy setting stays “enabled”, BUT the former trackable v6 IP is displayed again. So this mechanism seems not to be reliable.

                Next checkout:

                Check your /etc/sysctl.conf file. Based on this article, this is where you need to change things for ipv4/6 options.

                So, based on the above article, to enable ipv6 privacy, you would add

                net.ipv6.conf.all.use_tempaddr=2
                net.ipv6.conf.default.use_tempaddr=2

                Added these lines, and restarted the network interface. No change in behaviour. Still the trackable v6 IP is propagated to the www. Unfortunately I’m on a live system, so I can’t simply reboot with this changed setting (will have to remaster to let it survive a reboot).

                Seems there is no way for me to prohibit the world wide propagation of the unique static MAC address with this new IPv6 thing. The additional temporary IPv6 address Connman manages is rudely ignored, also the privacy=enabled setting. I run out of ideas…

                Windows is like a submarine. Open a window and serious problems will start.

                #139956
                Member
                Robin

                  Update
                  Some more testing turned out: This setting must be set to “preferred” rather than to “enabled”. This is misleading. “Enabled” suggests this setting is mandatory obeyed, while “preferred” suggests, programs can overwrite this user preference at any time and unnoticed. It’s just preferred. But actually when setting “enabled” it is not enabled at all, and only setting “preferred” makes it work. Weird thing.

                  I sense a technical problem setting this as a default: The IPv6.privacy=preferred setting lives in a device specific config file. Can it be written to the /var/lib/connman/settings file also, so it is applied as a policy for all network interfaces?

                  The only change is in /var/lib/connman/settings

                  If so, then you could add this very line to this file to solve the issue, the same way you have added the other changes you’ve mentioned.

                  Windows is like a submarine. Open a window and serious problems will start.

                  #139957
                  Member
                  abc-nix

                    EDIT: Ignore the following. Robin found a better way.

                    Unfortunately I’m on a live system, so I can’t simply reboot with this changed setting

                    On the same article I linked, they also say you can temporarily enable ipv6 privacy using the sysctl command. For eth0, that would be:
                    sudo sysctl -w net.ipv6.conf.eth0.use_tempaddr=2

                    After this, restart the network interface as you did before and see if this helps. What I am not sure is if the ipv6 address propagated outside (on the web) is related to the machine MAC address or the modem MAC address. I am embarrassed to say this, but I hope you can continue being the guinea pig that will discover how these changes work and figure out a systemwide solution.

                    antiX basically uses the Debian default /etc/sysctl.conf file

                    Then maybe antiX can create a file inside /etc/sysctl.d/ so that it can continue using the default sysctl.conf file and the extra options into an 99-antix.conf or similar file.

                    • This reply was modified 1 month ago by abc-nix.
                    #139967
                    Member
                    Robin

                      What I am not sure is if the ipv6 address propagated outside (on the web) is related to the machine MAC address or the modem MAC address.

                      That is what makes the difference between the former IPv4 protocol and the new IPv6 protocol: In the IPv4 universe only the router IP is world wide visible, not the machine IPs behind it in the internal network. Also this v4 router IP doesn’t provide any unique characteristics allowing tracking. It’s just an arbitrary IP, changed every 24 hours automatically by the Provider.

                      On contrary to this, in IPv6 universe now the full IP address of every single internal network device is world wide visible (and also addressable). And even when the Provider renews the network address after 24 hours (technically the provider assigns you a small segment of the network rather than a single address now), the second half of each machine address is static (since it is simply the hardware MAC of the device), as long the IPv6 privacy protocol extensions are not activated. Only then you get a randomly calculated hash from the MAC as your static part in your device specific IP instead of the MAC itself. This hash seems to be renewed after each power down and power up cycle of the network interface. Hopefully it is renewed also automatically after n hours by the kernel… But in the IPv6 universe the router/modem IP is no longer used to represent to the outer world all machines living in the internal LAN. There is no longer a NAT with IPv6. That makes it that crucial to have no static parts in your local machine v6 IPs even within your LAN, otherwise you are world wide trackable, forever, by means of your propagated literally unchangable hardware MAC. (Being unique addressable forever was the original design idea of IPv6, and can be really useful for specific use cases, but for private individuals this is a privacy Super-GAU in the internet. Deactivating privacy should always be a conscious decision, never the default.)

                      And yes, until now in antiX the machine MAC is actually used for IPv6 address generation, which renders people prone of being tracked easily and completely unnoticed, even when having set up the Adblocker and browser security perfectly fine in their system.

                      Windows is like a submarine. Open a window and serious problems will start.

                      #139977
                      Forum Admin
                      anticapitalista

                        The shipped /etc/sysctl.conf file also has these lines at the end. Do they work?

                        # Uncomment to disable ipv6
                        #net.ipv6.conf.all.disable_ipv6 = 1
                        #net.ipv6.conf.default.disable_ipv6 = 1
                        #net.ipv6.conf.lo.disable_ipv6 = 1

                        Philosophers have interpreted the world in many ways; the point is to change it.

                        antiX with runit - leaner and meaner.

                        #140001
                        Member
                        abc-nix

                          I had ipv6 disabled but some time ago I experienced issues with some program or some website. I searched for the error and it needed ipv6 enabled to work. Since then, ipv6 is enabled on my system. Disabling it is the easiest option for privacy, but probably isn’t a solution that fits for everyone.

                          Let some more users test these ipv6 privacy options before pushing for a final solution.

                          @Robin, what options should be added to /var/lib/connman/settings that would enable ipv6 privacy systemwide? What needs to be done if using /etc/network/interfaces instead? I will try it out on a live system, but I don’t know how to test if it is working (what website do I need to visit and what exactly do I need to look at to make sure it is working?)

                          #140005
                          Member
                          wildstar84

                            As abc-nix said, this may not work for everyone (just like some sites now don’t work w/ad-blockers, noscript, etc.) so (ymmv). Disabling ipv6 still seems to work fine for me (here in the ‘States) though (and the OP said that his ISP provides both a 4 and a 6 address). Here’s what I do to disable:

                            1) Kernel command line:
                            add “ipv6.disable=1” (requires reboot)

                            2) /etc/gai.conf file:
                            Uncomment following lines to “prefer ipv4 (per http://askubuntu.com/questions/32298/prefer-a-ipv4-dns-lookups-before-aaaaipv6-lookups):

                            precedence ::ffff:0:0/96 100
                            scopev4 ::ffff:169.254.0.0/112 2
                            scopev4 ::ffff:127.0.0.0/104 2
                            scopev4 ::ffff:0.0.0.0/96 14

                            3) Firefox user.js file:
                            Add following preference:
                            user_pref(“network.dns.disableIPv6”, true);

                            4) IF using dnscrypt-proxy to encrypt your DNS lookups:
                            Add/uncomment the following lines:

                            ## Use servers reachable over IPv6 — Do not enable if you don’t have IPv6 connectivity
                            ipv6_servers = false
                            block_ipv6 = true

                            Regards,

                            Jim

                            #140018
                            Member
                            Robin

                              Disabling it is the easiest option for privacy, but probably isn’t a solution that fits for everyone.
                              Let some more users test these ipv6 privacy options before pushing for a final solution.

                              Simply yes. Signed.

                              Disabling ipv6 still seems to work fine for me (here in the ‘States) though (and the OP said that his ISP provides both a 4 and a 6 address)

                              Can confirm I can disable IPv6 completely, then all connections are built up using IPv4 via Router NAT as before.
                              This can be done without reboot in Connman tray GUI, and makes the devices (really hard to change) hardware MAC invisible again in the www.

                              But precisely like ABC-nix already has said, that’s not a solution for people whose ISPs only provide IPv6, what is clearly the future. They can’t simply disable IPv6 without loosing connectivity. Moreover some web sites are no longer reachable in IPv4 address space. So the privacy extension is essential to be active by default.

                              what options should be added to /var/lib/connman/settings that would enable ipv6 privacy systemwide? What needs to be done if using /etc/network/interfaces instead?

                              Have not found out how to make it system wide active. By now the extension works fine if set to “preferred” for a specific networking interface.

                              My doubts: “Preferred” sounds to me like it might be ignored arbitrarily by software, e.g. by browsers; it’s just preferred, not mandatory enabled. How to get rid of the additional trackable machine IPv6 completely?

                              I will try it out on a live system, but I don’t know how to test if it is working (what website do I need to visit and what exactly do I need to look at to make sure it is working?)

                              @Abc-nix Please see screenshot for details. You simply need to compare the static Hardware interface MAC of your machine (look it up either by ifconfig command or in Connman, or wherever else, it should be printed even somewhere on the back of the device) with the marked position in your reported IPv6. You can use any site reporting your external visible IPv6 for this, I have used arbitrarily https://whatismyipaddress.com/
                              On default antiX 23.1 you’ll see your static Hardware MAC in the marked positions of the IPv6, which makes you world wide unique trackable across reboots and antiX upgrades or fresh installs, and even after moving to another ISP provider, as long you access the web from this very hardware, even across decades. You’ll find the MAC address split up into two blocks, separated by the then static values ff:fe in between.
                              If the IPv6 privacy extension was successfully enabled on your machine, you should no longer see your hardware MAC being present in the reports. Then everything is fine. Moreover you can check with the netstat command (from package net-tools) on console the established IPv4 and IPv6 connections.

                              Windows is like a submarine. Open a window and serious problems will start.

                              #140033
                              Member
                              abc-nix

                                Thanks, Robin.

                                I tried testing on a live USB, but for some reason my ipv6 is not being detected. On another website it says:

                                No IPv6 address detected

                                So maybe this is one of the configurations included by default on antiX’ firefox-esr settings. I will test on a different device and browser later. I have also changed so many things on my router that maybe that is also to blame, so will try connecting to my phone next time I test.

                                #140034
                                Member
                                Xunzi_23

                                  Hi Robin. many thanks for bringing up this touchy subject.

                                  Long times ago before IPV6 was forced upon us by tier 1 intelligence provider Vodafone
                                  a person I highly respected suggested to regularly change the device mac, and systemd/device ID
                                  remembering that will not make any change to the way agencys collect data, to the USA and local
                                  agencys we are all suspects. FISA has, as expected, again been approved.

                                  sudo ifconfig eth0 down
                                  sudo ifconfig eth0 hw ether xx:xx:xx:xx:xx:xx
                                  sudo ifconfig eth0 up

                                  Will make a change that does not survive a reboot. My brain is too messed up after 4X Covid to be
                                  capable of scripting a setup which assigns a new preferably random MAC address every boot.
                                  That would only be of use in some cases, due a shitty neighbor tapping my router I only allow WIFI
                                  access from 2 MAC addresses so would need to change
                                  those if I change device MAC.

                                Viewing 15 posts - 1 through 15 (of 27 total)
                                • You must be logged in to reply to this topic.