Enable IPv6 Privacy Extensions on Ubuntu

With SLAAC, your MAC address is embedded into your IPv6 address. When you connect to the world, you’re giving them something that can be traced back to you (or at least a piece of hardware you have). RFC3041 was created to help address this privacy issue. It’s since been obsoleted by RFC4941. The Linux kernel does support these RFCs, but most distributions do not turn it on by default. While the below was tested on Ubuntu, it should theoretically work for most flavors of Linux.

First, determine which interface(s) you want to enable the privacy extensions:


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6547155 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3594147 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9470877266 (9.4 GB)  TX bytes:313893925 (313.8 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:859192 errors:0 dropped:0 overruns:0 frame:0
          TX packets:859192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:418471854 (418.4 MB)  TX bytes:418471854 (418.4 MB)

In my case it’s eth2 (and no, I don’t know what happened to eth0 and eth1 ;).

Add the following lines to /etc/sysctl.conf:

net.ipv6.conf.eth2.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

*Note that the first line could (and most likely would) be different for your particular set up.

after that, restart your network (or if you like, restart your computer altogether) and you should see a new address


$ ifconfig
eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: 2001:db8::xxxx:xxff:fexx:xxxx/64 Scope:Global
          inet6 addr: fe80::xxxx:xxff:fexx:xxxx/64 Scope:Link
          inet6 addr: 2001:db8::9dd7:675f:8d2b:d78a/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6565518 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3607197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9493464492 (9.4 GB)  TX bytes:315035089 (315.0 MB)
          Interrupt:42 Base address:0xe000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:861796 errors:0 dropped:0 overruns:0 frame:0
          TX packets:861796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:419488499 (419.4 MB)  TX bytes:419488499 (419.4 MB)

Outgoing connections will now use the new “random” ipv6 address. You can verify by going to http://test-ipv6.com


ipv6 ready