Web security: Default IPv6 privacy disabled in antiX ?

Forum Forums Official Releases antiX-23 “Arditi del Popolo Web security: Default IPv6 privacy disabled in antiX ?

  • This topic has 26 replies, 6 voices, and was last updated May 20-10:27 am by twntrelwn.
Viewing 12 posts - 16 through 27 (of 27 total)
  • Author
    Posts
  • #140080
    Member
    Robin

      The shipped /etc/sysctl.conf file also has these lines at the end. Do they work?

      Not sure whether these work, this could be only tested on a system keeping these settings across a reboot. Somebody else will have to find out that.

      But apart from that, it’s not the very best idea completely to deactivate IPv6 by default in antiX. Some/many users might encounter issues if their ISP is no longer providing IPv4 connections.

      Proper solution is to set the privacy extensions to “preferred” as a system wide default, as a policy for all network connections and interfaces.

      Further reading (sorry, only German language, use e.g. traduzir paginas web by Felipe PS to see the site translated to your language)
      https://www.heise.de/ratgeber/IPv6-Privacy-Extensions-einschalten-1204783.html?seite=all
      This article is very informative. It shows that Windows has solved this issue long ago by setting the defaults properly, while in most Linux distros the user is still on his own with that, not even informed about the lack of privacy in the default IPv6 configuration when plugging his PC to the network.

      Seems it is correct behaviour to have multiple IP v6 addresses assigned to a single network interface, among them the trackable MAC generated IP. These are valid for different “scopes”. Looks like a pretty sophisticated and complex construction, not easily to understand and to handle.
      See https://www.elektronik-kompendium.de/sites/net/2107111.htm and https://www.elektronik-kompendium.de/sites/net/2004011.htm for details. (again, German language only, sorry. Use traduzir paginas…)

      Important to understand is: In IPv6 world the client no longer gets his address assigned by the DHCP server. Instead the DHCP server assigns only a Prefix, and the client machine builds up it’s own IP address from this prefix. By default it uses its MAC address to build it, which breaks privacy. Only with the privacy extension activated and used on the very machine your privacy is restored again in the IPv6 universe.

      Try the command:
      $ ip -d -6 addr show

      The output of this command will give you an idea what addresses are currently bound to your Network Interface(s) and how long they are valid.
      scope global temporary, address starting with fd00:… means this is an temporary address only locally valid, not routed into www.
      scope global temporary, address starting with 2001:… means this is an temporary address routed into www.

      $ ip -d -6 addr show
      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
          link/loopback 00:00:00:00:00:00
          inet6 ::1/128 scope host 
             valid_lft forever preferred_lft forever
      2: eth0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 state UP qlen 1000
          link/ether af:c7:3d:00:f1:27
          inet6 fd00::9663:500:92b9:afaf/64 scope global temporary dynamic 
             valid_lft 7006sec preferred_lft 3406sec
          inet6 fd00::afc7:3dff:fe00:f127/64 scope global dynamic mngtmpaddr 
             valid_lft 7006sec preferred_lft 3406sec
          inet6 2001:16b8:8116:c00:bd6f:35c8:4097:458a/64 scope global temporary dynamic 
             valid_lft 7006sec preferred_lft 3406sec
          inet6 2001:16b8:8116:c00:afc7:3dff:fe00:f127/64 scope global dynamic mngtmpaddr 
             valid_lft 7006sec preferred_lft 3406sec
          inet6 fe80::afc7:3dff:fe00:f127/64 scope link 
             valid_lft forever preferred_lft forever

      I only allow WIFI access from 2 MAC addresses so would need to change those if I change device MAC.

      That is what renders this approach not feasible. Basically it should never be necessary to change the hardware MAC, since the MAC should never be propagated outside your private LAN. IPv6 breaks this rule. Bad design.

      Windows is like a submarine. Open a window and serious problems will start.

      #140085
      Member
      Robin

        Long times ago before IPV6 was forced upon us by tier 1 intelligence provider Vodafone
        a person I highly respected suggested to regularly change the device mac, and systemd/device ID
        remembering that will not make any change to the way agencys collect data, to the USA and local
        agencys we are all suspects. FISA has, as expected, again been approved.

        Hi @Xunzi_23,

        In IPv4 universe it was enough not to connect your device directly to the provider’s web but use a well designed router (like the avm fritz boxes), to make your device MAC invisible to the outside world. So there was never a real need to change your hardware MAC at all.

        Concerning the agencies with their greedy five or more eyes: Enabling IPv6 privacy extension will not keep them from spying if they feel you being a worthwhile target, it’s their job, and they will continue. Personally I don’t think they have any interest in e.g. me or you. With a few exceptions they are not interested what average people are doing in the web. But there are other real threats which you might only notice some years later, e.g. when you look for a new job, and a potential employer finds out you have dared posting in an anticapitalistic and antifascist web forum like this place here in your youth, even if that was many years ago, and you silently are dismissed without knowing why. Or if you are refused by an insurance, since you have contacted an online medicine 10 years ago asking some questions which makes them doubt your current statements in their health questionnaire. Or simply think of an extremist government taking over some day in your country, then they can easily look up whether you have ever done something they don’t like in your online life the last 20 years. All this simply by your unique IPv6 Address. Or just think of the ubiquitous personalised advertising. There is no limit of possible scenarios continuing this listing, in which way the tracking-IPv6 can backfire some years later. Better safe than sorry.

        Basic principle to observe is what we call in our country „Datensparsamkeit” (please use e.g. traduzir paginas web by felipe ps to read this text translated to your language; the respective English wikipedia entry on this subject has another focus. It means something like data minimisation or data austerity.) To achieve this Datensparsamkeit, privacy by design is one of the means which should be observed by any OS. And NOT assigning a static hardware MAC to your IP address is one of the very basic things to assure.

        Windows is like a submarine. Open a window and serious problems will start.

        #140126
        Member
        Xunzi_23

          Thanks Robin,
          One more tiny aid is to use different browsers for different tasks
          and delete browser cache every desktop start. That came out of finding
          the gigbyte caches of Firefox and worse Chrome based browsers some
          years ago, since then things have become worse, web sites more
          complicated and browsers storing more on user devices.
          My internet is fast enough not to care about that and I do not
          open a huge number of tabs as well as not playing videos in
          a browser unless forced.

          You are deeper in to the problems and possible mitigations,
          does below part of sysctl conf look sane?
          not sure if net.ipv6.conf.default.use_tempaddr=2 is useful on antiX
          or whether I misunderstood something. I do want things right before
          changing any user system.

          #Switch IPV& privacy extensions on
          net.ipv6.conf.eth0.use_tempaddr = 2
          net.ipv6.conf.wlan0.use_tempaddr = 2
          net.ipv6.conf.default.use_tempaddr = 2

          ####################################################################

          #Set time an IPV& adress stays valid 86400 is 24 Hrs 43200 is 12 hrs
          net.ipv6.conf.eth0.temp_valid_lft = 86400
          net.ipv6.conf.wlan0.temp_valid_lft = 86400
          net.ipv6.conf.eth0.temp_prefered_lft = 86400
          net.ipv6.conf.wlan0.temp_prefered_lft = 86400

          Above edited as I try and get this right..

          • This reply was modified 1 month ago by Xunzi_23.
          • This reply was modified 1 month ago by Xunzi_23.
          • This reply was modified 1 month ago by Xunzi_23.
          #140130
          Member
          Robin

            antiX basically uses the Debian default /etc/sysctl.conf file

            Citation from The Debian Administrator’s Handbook, section about IPv6

            »IPv6 subnets usually have a netmask of 64 bits. This means that 264 distinct addresses exist within the subnet. This allows Stateless Address Autoconfiguration (SLAAC) to pick an address based on the network interface’s MAC address. By default, if SLAAC is activated in your network and IPv6 on your computer, the kernel will automatically find IPv6 routers and configure the network interfaces.
            This behavior may have privacy implications. If you switch networks frequently, e.g. with a laptop, you might not want your MAC address being a part of your public IPv6 address. This makes it easy to identify the same device across networks. A solution to this are IPv6 privacy extensions (which Debian enables by default if IPv6 connectivity is detected during initial installation), which will assign an additional randomly generated address to the interface, periodically change them and prefer them for outgoing connections. Incoming connections can still use the address generated by SLAAC.«

            So I wonder why then this feature is disabled in antiX, when debian states it is activated by default, and antiX uses the debian defaults for IPv6 ?

            does below part of sysctl conf look sane? not sure if net.ipv6.conf.default.use_tempaddr=2 is useful on antiX or whether I misunderstood something. I do want things right before changing any user system.

            Sorry, I also don’t know. Still no idea how to make sure these extensions are active in antiX by default for all networking interfaces without editing the device specific configs manually in the Conmann GUI, one by one.

            Windows is like a submarine. Open a window and serious problems will start.

            #140133
            Member
            Xunzi_23

              Thanks again Robin, for this evening, I have decided to try and figure out whether settings for IPV6 from Tails
              which is based on Debian might help in understanding how and why the weirdness with MAC IPV& is happening..

              #140310
              Member
              Robin

                to enable ipv6 privacy, you would add…

                Bad news. Running antiX 23.1 runit full 64 bit Live.

                After adding the lines

                net.ipv6.conf.all.use_tempaddr=2
                net.ipv6.conf.default.use_tempaddr=2

                as recommended to /etc/sysctl.conf I did a complete (personal) remaster (including home folder, so all config is preserved) to make the privacy extension settings permanent.

                After reboot the new linuxfs is in use. The additional lines are still present in the file, but they are ignored obviously:

                $ ifconfig
                eth0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
                        inet 192.168.178.24  netmask 255.255.255.0  broadcast 192.168.178.255
                        inet6 2001:0c19:a007:fc00:afc7:3dff:fe00:f127  prefixlen 64  scopeid 0x0<global>
                        inet6 fe10::afc7:3dff:fe00:f127  prefixlen 64  scopeid 0x20<link>
                        ether af:c7:3d:00:f1:27  txqueuelen 1000  (Ethernet)
                        RX packets 30379  bytes 41050965 (39.1 MiB)
                        RX errors 0  dropped 0  overruns 0  frame 0
                        TX packets 16511  bytes 1564769 (1.4 MiB)
                        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                No temporary IPv6 at all. Only the forever trackable hardware MAC bound tracking-IP is present for v6. (You can easily recognise it by the static ff:fe marker/separator in the respective position of the single global line.)

                So what is the proper way to permanently enable the IPv6 privacy extensions for all network interfaces by default in antiX (Live)?

                for this evening, I have decided to try and figure out whether settings for IPV6 from Tails
                which is based on Debian might help in understanding how and why the weirdness with MAC IPV& is happening..

                Did you get any further insights from this?

                I can only repeat: Debian itself states clearly these extensions are by default active in its current releases. Just a vague guess: Possibly they have mangled the setup for this deeply into their systemd stuff which is stripped from antiX?

                Windows is like a submarine. Open a window and serious problems will start.

                #140315
                Member
                abc-nix

                  @Robin.
                  It seems the connman configuration overrides the kernel parameters (source). The sysctl change should work for connections established with ceni.

                  About connman, once you change the IPv6 privacy mode to “preferred” in the cmst gui, does the service file have the value

                  IPv6.Privacy="preferred"
                  or is there a typo in “prefered”?

                  I still fail to setup ipv6 privacy when experimenting with this, and I am not reporting anything for the issue is on my end. It is a bit infuriating, but I cannot spend too much time on this. I am glad you can test on your end, and hopefully something can be achieved.

                  #140321
                  Member
                  Robin

                    Connman config immediately after reboot:

                    $ sudo cat /var/lib/connman/ethernet_afc73d00f127_cable/settings
                    [ethernet_afc73d00f127_cable]
                    Name=Wired
                    AutoConnect=true
                    Modified=2024-04-24T17:09:01Z
                    IPv4.method=dhcp
                    IPv4.DHCP.LastAddress=192.168.178.24
                    IPv6.method=auto
                    IPv6.privacy=disabled

                    After switching the privacy extensions in Connman tray GUI the line is changed to prefered [sic!]

                    $ sudo cat /var/lib/connman/ethernet_afc73d00f127_cable/settings
                    [ethernet_afc73d00f127_cable]
                    Name=Wired
                    AutoConnect=true
                    Modified=2024-04-24T17:09:01Z
                    IPv4.method=dhcp
                    IPv4.DHCP.LastAddress=192.168.178.24
                    IPv6.method=auto
                    IPv6.privacy=prefered
                    $ ifconfig
                    eth0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
                            inet 192.168.178.24  netmask 255.255.255.0  broadcast 192.168.178.255
                            inet6 2001:0c19:a007:fc00:afc7:3dff:fe00:f127  prefixlen 64  scopeid 0x0<global>
                            inet6 2001:16b8:815a:7700:5233:670:6bbc:18fc  prefixlen 64  scopeid 0x0<global>
                            inet6 fe10::afc7:3dff:fe00:f127  prefixlen 64  scopeid 0x20<link>
                            ether af:c7:3d:00:f1:27  txqueuelen 1000  (Ethernet)
                            RX packets 30380  bytes 41050989 (39.2 MiB)
                            RX errors 0  dropped 0  overruns 0  frame 0
                            TX packets 16512  bytes 1564772 (1.4 MiB)
                            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                    or is there a typo in “prefered”?

                    Looks actually like they have a typo in their config. (Maybe they accept both, and only the GUI creates that misspelled entry? Nevertheless, obviously it works that way. Have not counterchecked by now with entering manually a properly spelled preferred into the file.)

                    Windows is like a submarine. Open a window and serious problems will start.

                    #140337
                    Member
                    Robin

                      Has anybody found out whether the IPv6 privacy extensions can be enforced in Connman config files globally, not only for a specific interface?

                      Seems there are two possible places:

                      /var/lib/connman/settings
                      /etc/connman/main.conf

                      But I can’t find any documentation in the web for proper syntax for this specific IPv6 privacy extensions in these global settings files, or whether this is globally possible in Connman at all. Maybe Connman can manage that feature only on a per interface basis? That would be a very poor implementation.

                      Even tried to contact them in IRC. Looks like they don’t want people asking them:

                      Information
                      ===========
                      IRC:
                      	ircs://irc.oftc.net:6697/#connman (for SSL)
                      	irc://irc.oftc.net:6667/#connman (for non-SSL)
                      <Robin> Hi, I have a question concerning global configuration of IPv6 privacy extensions in Connman, like a policy.
                      <Robin> I know I can do it per interface in the respective settings files /var/lib/connman/ethernet_abcdefghijk_cable/settings
                      <Robin> by changing IPv6.privacy=disabled to IPv6.privacy=prefered 
                      <Robin> But how can this be done with Connman system wide as a policy for all network interfaces, even when plugged later e.g. as USB devices ?
                      * #connman :Cannot send to channel (You are not registered and verified.  '/msg NickServ help' to learn how to register and verify)

                      Maybe somebody else has better luck with them. Seems my registered IRC account is not good enough for their support room. Strange folks.

                      As a really dirty workaround antiX could add a routine to one of its startup scripts, something like:

                      # for i in /var/lib/connman/*/settings; do if grep ^IPv6.privacy= "$i" >/dev/null; then sed -i 's/^IPv6.privacy=..*$/IPv6.privacy=prefered/' "$i"; else echo "IPv6.privacy=prefered" >>"$i"; fi; done

                      (Must be run as root, since the config files and folders are access protected.)

                      This oneliner would check all connman interfaces found already at startup and replace any wrong defaults set by Connman, or add it if the line was detected to be still missing. That approach has a severe drawback compared with a proper a policy in global sections: It will fail on all new interfaces added or configured in runtime after the startup script was executed (e.g. USB network dongles). Moreover I’m not sure by now whether it is enough to change the config, or whether all interfaces need to be restarted after the config change was applied.

                      Windows is like a submarine. Open a window and serious problems will start.

                      #142983
                      Member
                      twntrelwn

                        Hello. It’s my first post and is a new try to understand how can IPv6 be disabled.
                        I’m using 6.1.60-antix.1-amd64-smp. My vpn app can’t connect because of activated IPv6, instead I have already followed the path to deactivate it. I’ve used the command line connection which being established pretty well, but I found that my details are exposed due to the information of IPv6.
                        I have read the whole thread here about connman, conflicts between network managers (instead I installed the network manager is somehow like locked, can’t do anything except look it’s interface), tried a lot of the solutions proposed but I have no result.
                        Can someone help me to understand the exact process that I have to follow to deactivate IPv6 through connman? I’m not so familiar with the programming but if the path is clear (commands as they have to be placed) I can do it. It would be helpful also if someone can help with pics of the connman app.
                        Thanks and sorry for my poor level of understanding all the previous posts.

                        #142989
                        Member
                        Robin

                          Deactivating IPv6 completely is pretty easy in Connman. The steps are:

                          – Click the Network monitoring icon in system tray to open the Connman system tray window.
                          – Click the Details tab in it.
                          – Select the networking interface you want to change to ipv4-only from the Service pulldown (e.g. “Wired [eth0]”).
                          – Click the Configuration button.
                          – In the Properties-editor window which comes up then select the “IPv6” tab.
                          – Set the Method from the pulldown to “off”.
                          – Accept with OK.

                          – Repeat that procedure for all networking interfaces present in your device separately (if necessary).

                          That’s the detailed step-by-step path to disable IPv6 completely in default antiX (full, 23.1).

                          Windows is like a submarine. Open a window and serious problems will start.

                          #142996
                          Member
                          twntrelwn

                            Excellent. Your solution was the proper one, even if the application keep giving the “Error: Failed to add ipv6 leak protection! NetworkManager is not running Cause: ipv6_leak_protection_error”.
                            Connection through command works perfectly without leaks.
                            Probably the application recognise and support only the Network Manager and not the connman.
                            Thanks again for your simplistic explanation 🙂

                          Viewing 12 posts - 16 through 27 (of 27 total)
                          • You must be logged in to reply to this topic.