Bug#1007150: ifupdown: for IPv6 drop RFC4291 EUI-64 generation in favor of RFC7217 stable privacy addressing

Fri, 11 Mar 2022 23:39:15 -0800 

Package: ifupdown
Version: 0.8.36
Severity: important
Tags: ipv6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On IPv6-enabled hosts, ifupdown generates an EUI-64 address for the interface. 
This is a major privacy issue, because EUI-64 can be reverse-mapped to a 
specific MAC address and therefore to a specific physical host. Setting 
privext=2 doesn't solve the issue, since it merely makes the kernel prefer the 
privacy address.

RFC4291 EUI-64 generation is deprecated. What's instead favored is RFC7217 
stable privacy addressing. It would be a good idea for ifupdown to implement 
this. The current upstream for dhcpcd (not yet packaged for Debian, but waiting 
in Mentors) contains a good implementation of this RFC.

- -- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-12-amd64 (SMP w/8 CPU threads)
Locale: LANG=fi_FI.utf8, LC_CTYPE=fi_FI.utf8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ifupdown depends on:
ii  adduser   3.118
ii  iproute2  5.10.0-4
ii  libc6     2.31-13+deb11u2
ii  lsb-base  11.1.0

Versions of packages ifupdown recommends:
ii  isc-dhcp-client [dhcp-client]  4.4.1-2.3

Versions of packages ifupdown suggests:
ii  ppp     2.4.9-1+1
pn  rdnssd  <none>

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmIsTSIACgkQrh+Cd8S0
17bMmhAArd5O0KO79zlKbLb9KJw8Jg+YSpRLnYVMVDWl3j1lDq2o1CKmw2cL5T/B
NmMXJ+9FvZQpGyibldXssMVFfkcDOUhyc4AkNhdvXfmap2YY8mpvdaerZF5jec89
BuYe04tvRmMUJylN0ABdu1mOFSUAGdRzLz2Bspcc3sSVRqrAFCejFi5cUaW7lLDF
zuZNvVOLu/fMhOyeHF11DGfv8xLr9q6hNYg2SNhrSWLcUc1+ax2xiYCa2E2JX3Od
S/efxI2oGwSGpbRZWlm1nHKQCHmay88A4GVARBRzGQno+yuiUuQW7hsqhmEO6HH1
AQ1qBCbFacsrO9duHmhohUBRDGnkdMH2CKak2fdJoP2NogliNF0KHlfI29hUBp2c
7L1rQ0UNMtrozm3bIILOWS1wNqWtc5Zs+Rri520R0japILCgTw6oKof59Sv258un
q6XmwUPsuq48A3CvDBwqITfIO3i+moIUZtZrDNCP9qdzQE4aLPun8woFzUncXsTg
0A2X1oYy3VQoOLCWQ9FEvYegvGR/k3Ntezx/jqGH8bzMy7/wugf4T4gya8Zcln5f
Nec3A/RnD9ZS7qVRpv8lLUHpsM9cjm/7mIAtyUdXCJ/DKnErjSNTrAtbYCMS8v4c
EOV9OB6V+DoL3OtgBV8Ls4lJsd6rzvcF4SuiX4iv9mjNvZtHpiw=
=jMxm
-----END PGP SIGNATURE-----

Reply via email to