Ubuntu
procps package

Bug #1068756
Comment #12

Comment 12 for bug 1068756

Revision history for this message

Neil Wilson (neil-aldur) wrote on 2014-06-04: Re: [Bug 1068756] Re: IPv6 Privacy Extensions enabled on Ubuntu Server by default

#12

The metadata request on IPv6 should ask to use the global address on
outgoing connection. If it did, then the firewall rule would work, the
metadata obtained and that can turn off the temporary address
mechanism if that is what you want.

Badly coded applications should be fixed to work properly with IPv6
*as IPv6 is designed*, and then temporary addresses would work quite
happily.

The problem here is primarily coding applications to use IPv6 as
though it is IPv4.

There is no need to cripple the UEC images. There is a need to fix the
software so it works with IPv6 properly.

On 4 June 2014 11:13, Alex Bligh <email address hidden> wrote:
> In my view this is NOT a software bug, its an OS bug.
>
> Here's a completely different why this causes problems.
>
> We use Ubuntu UEC images. There are no meaningful privacy considerations
> here because we generate both the MAC address and the IP address of the
> servers concerned. IE, if the machine is mobile and changes IP address,
> it changes MAC address too.
>
> We build firewall rules automatically for the machine. These are applied
> outside of the machine (on the router). In order to write the rules
> correctly, we need to know the IPv6 address the machine will have, and
> use EUI-64 addressing to do this.
>
> Equally, for the server to get metadata on a boot, both the IP address
> needs to be correct (and no, that's not the only thing that is checked).
> On UEC randomisation of addresses thus prevents getting metadata over
> IPv6. This is only 'not a killer problem' as most people have IPv4 too.
>
> In a server environment (particularly on cloud images) there is no need
> whatsoever to have RFC4941 turned on by default.
>
> As Brian Candler wrote, the RFC says this should be disabled by default.
> It also says:
>
> Devices implementing this specification MUST provide a way for the
> end user to explicitly enable or disable the use of temporary
> addresses. In addition, a site might wish to disable the use of
> temporary addresses in order to simplify network debugging and
> operations. Consequently, implementations SHOULD provide a way for
> trusted system administrators to enable or disable the use of
> temporary addresses.
>
> On a cloud image, the user can't even administer his own machine until
> it has booted, which in a full IPv6 environment requires it to get
> metadata. For the reasons above, this prevents that from working.
> Therefore at least on UEC images, RFC4941 should be turned off by
> default and EUI-64 addresses only should be used.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1068756
>
> Title:
> IPv6 Privacy Extensions enabled on Ubuntu Server by default
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions

--
Neil Wilson

Badly coded applications should be fixed to work properly with IPv6
*as IPv6 is designed*, and then temporary addresses would work quite
happily.

The problem here is primarily coding applications to use IPv6 as
though it is IPv4.

There is no need to cripple the UEC images. There is a need to fix the
software so it works with IPv6 properly.

On 4 June 2014 11:13, Alex Bligh <ubuntu@alex.org.uk> wrote:
> In my view this is NOT a software bug, its an OS bug.
>
> Here's a completely different why this causes problems.
>
> We use Ubuntu UEC images. There are no meaningful privacy considerations
> here because we generate both the MAC address and the IP address of the
> servers concerned. IE, if the machine is mobile and changes IP address,
> it changes MAC address too.
>
> We build firewall rules automatically for the machine. These are applied
> outside of the machine (on the router). In order to write the rules
> correctly, we need to know the IPv6 address the machine will have, and
> use EUI-64 addressing to do this.
>
> Equally, for the server to get metadata on a boot, both the IP address
> needs to be correct (and no, that's not the only thing that is checked).
> On UEC randomisation of addresses thus prevents getting metadata over
> IPv6. This is only 'not a killer problem' as most people have IPv4 too.
>
> In a server environment (particularly on cloud images) there is no need
> whatsoever to have RFC4941 turned on by default.
>
> As Brian Candler wrote, the RFC says this should be disabled by default.
> It also says:
>
>    Devices implementing this specification MUST provide a way for the
>    end user to explicitly enable or disable the use of temporary
>    addresses.  In addition, a site might wish to disable the use of
>    temporary addresses in order to simplify network debugging and
>    operations.  Consequently, implementations SHOULD provide a way for
>    trusted system administrators to enable or disable the use of
>    temporary addresses.
>
> On a cloud image, the user can't even administer his own machine until
> it has booted, which in a full IPv6 environment requires it to get
> metadata. For the reasons above, this prevents that from working.
> Therefore at least on UEC images, RFC4941 should be turned off by
> default and EUI-64 addresses only should be used.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1068756
>
> Title:
>   IPv6 Privacy Extensions enabled on Ubuntu Server by default
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1068756/+subscriptions

-- 
Neil Wilson

Ubuntuprocps package

Comment 12 for bug 1068756

Ubuntu
procps package