My favorites | Sign in
Project Home Issues
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 14013: Enable IPv6 Privacy Extensions
54 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----
Cc:  e...@google.com, lore...@google.com


Sign in to add a comment
 
Reported by josef.schneider, Jan 14, 2011
Android currently uses the MAC-address of the interface to create its IPv6 address when using WIFI!
This is a privacy-problem, because this address-suffix is unique worldwide and allows internet servers to identify and track a user, even if he switches location and the network used to connect to the internet.

Fortunately, the privacy extensions (RFC4941) are well supported by in the linux kernel.

Please make the use of them standard in all future Android versions.

For now, I just activate them using

sysctl -w net.ipv6.conf.default.use_tempaddr=2
sysctl -w net.ipv6.conf.all.use_tempaddr=2

after every reboot!
Jan 14, 2011
Project Member #1 e...@google.com
(No comment was entered for this change.)
Cc: e...@google.com lore...@google.com
Jan 15, 2011
#2 philipp.sebastian.thun
I would recommend to increase the priority of this bug. This security / data privacy issue is already mentioned in the news (e.g. http://www.h-online.com/security/news/item/IPv6-Smartphones-compromise-users-privacy-1169708.html) and its visibility will increase over the next few months when IPv6 comes into use by major internet providers. As iOS has the same problem, it would be a major plus for Android if it provides a fix first.
Jan 15, 2011
#3 josef.schneider
The easiest way to fix this is to add

net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2

to /etc/sysctl.conf

Better would be to add GUI-Options to configure it (and also for net.ipv6.conf.default.temp_valid_lft)
Jan 27, 2011
#4 derek.mo...@gmail.com
I would recommend against this change. Privacy addresses complicate lives for network managers. I've documented my reasons on the Ubuntu bug tracker (for this issue) - https://bugs.launchpad.net/ubuntu/+source/procps/+bug/176125
Feb 1, 2011
Project Member #5 e...@google.com
 Issue 14461  has been merged into this issue.
Apr 14, 2011
#6 rene.may...@googlemail.com
I have just uploaded a small application to the Android Market to enable privacy extensions on each device bootup and verify if a MAC-derived IPv6 address is used for outbound connections: https://market.android.com/details?id=to.doc.android.ipv6config, also available at http://www.mayrhofer.eu.org/android-ipv6config. Full source code is up on Gitorious (project android-ipv6config).

The app should grow more options to tweak IPv6 settings in the future, but I wanted to release it with this (currently) most important feature first.
Apr 27, 2011
#7 josef.schneider
iOS has this fixed in 4.3 btw...
May 1, 2011
#8 rupert.t...@gmail.com
it got in the german newspapers now, citing windows as example: http://www.heise.de/netze/artikel/IPv6-Privacy-Extensions-einschalten-1204783.html :)

Dec 15, 2011
#9 jbe...@gmail.com
IPv6 Privacy Extensions are now enabled by default. Confirmed on a preview build of ICS on an HTC Incredible.
https://github.com/android/platform_frameworks_base/commit/7329361cdce711775542b112663bf71a6e0d5cef

It would be great if there was a setting to enable or disable this feature. Even better would be the ability to see the EUI-64 based IPv6 address and current temporary address in the wifi details screen.
Apr 25, 2012
#10 tonyhoyl...@gmail.com
It *really* needs a setting to disable it.  On by default is a ballache but at least you can go around switching it off.. but permanently on screws up my usage accounting not to mention network diagnostics.


(Ideally there'd be a flag in RA to force it off, but that's one for the standards committees to sort out not google).

Apr 25, 2012
#11 emleym...@gmail.com
I totally agree with comment 10. It would be a lot better to have the address fixed, for usage accounting and other network management reasons. The permanently-on randomness of the address makes a mess of this. Yes, have it available, but easily switchable so that those of us who need and can make good use of the EUI-64 derived address are not impeded by others' privacy concerns.
Apr 25, 2012
#12 idonotre...@gmail.com
I agree with comments 10 and 11, having privacy extensions on and no option to turn it off breaks my usage accounting and diagnostics.
May 4, 2012
#13 dwmw2b@gmail.com
Please turn this off by default, and let the tinfoil hat brigade enable it for themselves if they want to. This makes it a complete pain to do any kind of debugging, and to set up reverse DNS.
May 9, 2012
#14 micol...@gmail.com
Please leave this enabled by default!

If usage accounting "breaks", then you should be using another method to do it (like MAC on the local network segment).  If you want to have it turned off, sure, have an option, but should be enabled by default.

I'm faced with a similar problem because I'm looking at implementing accounting controls for IPv6, but I intend fully to work around privacy extensions.

At the moment your scripts will *also* break if another user sets a false automatic IPv6 address..

I offer this list of other operating systems with privacy enabled by default:

- Apple iOS 4.3 and later (available in earlier releases via JB)
- Apple Mac OS X 10.7 and later (available in earlier releases as option)
- Microsoft Windows XP and later (IPv6 not enabled by default, but privacy on by default when enabled)
- Microsoft Windows Vista and later (IPv6 enabled by default)
May 12, 2012
#15 emleym...@gmail.com
I personally am neutral on the issue of whether this should be enabled by default or not, though I would normally side with the RFC. In this case, and you can read this at http://tools.ietf.org/html/rfc4941#section-3.6 if you have not already done so, it clearly states:

- Devices implementing this specification MUST provide a way for the end user to explicitly enable or disable the use of temporary addresses.

ICS is currently not compliant, neither is iOS. As for the others mentioned, I know it can be disabled in Windows 7 - I've done it.

The RFC also states:

- The use of temporary addresses may cause unexpected difficulties with some applications.  As described below, some servers refuse to accept communications from clients for which they cannot map the IP address into a DNS name.  In addition, some applications may not behave robustly if temporary addresses are used and an address expires before the application has terminated, or if it opens multiple sessions, but expects them to all use the same addresses. Consequently, the use of temporary addresses SHOULD be disabled by default in order to minimize potential disruptions.  Individual applications, which have specific knowledge about the normal duration of connections, MAY override this as appropriate.

Section 4 explains this problem in greater detail.

No operating system that enables privacy extensions by default is compliant with this - even if it looks as though we are "de facto" going that way. However, the failure on the first point I quoted is much more serious.
May 15, 2012
#16 quentin....@gmail.com
Actually, the only way I found to disable privacy extensions was to binary patch the netd daemon : replace the string "/proc/sys/net/ipv6/conf/%s/use_tempaddr\000" by "/dev/null\000net/ipv6/conf/%s/use_tempaddr\000"

Absolutely not satisfactory.

Really it needs a configuration option in the wifi menu.
May 15, 2012
#17 josef.schneider
wait what?

Add net.ipv6.conf.default.use_tempaddr=0
net.ipv6.conf.all.use_tempaddr=0

to /etc/sysctl.conf

May 15, 2012
#18 quentin....@gmail.com
We tried that, but the value for wlan0 seemed to be overwritten each time the wifi interface was brought up.

As far as I understand the value of net.ipv6.conf.all.use_tempaddr is propagated to every interface _once_, so setting it beforehand does not prevent another configuration for a particular device, which is what netd does each time wifi is turned on.
May 16, 2012
#19 josef.schneider
After the WIFI is enabled, it should use the value from net.ipv6.conf.default.use_tempaddr

If it is not working, that is a bug and you should report it!
Jul 24, 2012
#20 brianjmu...@gmail.com
This does need an option to disable, perhaps on a network-by-network basis.  That is, in the "advanced" portion of the network connection dialog, there should be "disable privacy extensions on this network" checkbox.
Jun 27, 2013
#22 dua...@gmail.com
use_tempaddr(s) are 0 on my 4.1.2 and 4.2 devices - quite annoyed that I can't change this without rooting.

Disabling "privacy extensions" does not guarantee any "accounting service" can collect accurate data (because obviously addresses can be spoofed).  NAT has been obscuring actual device "accounting" for decades, nothing useful will be gained by suddenly getting a bit more device specific resolution in ipv6.  Also, thanks to BigData, the global part of user's ipv6 addresses can still, over time, identify more-or-less who is using a specific address anyway, so privacy is still mostly an illusion.

The ONLY thing enabling privacy extensions can do is prevent others from knowing what NIC chipset a user owns or is operating - but this is actually somewhat useful - **provided** the extensions are enabled before first broadcast (ie. they are the default).  Yes, allow the owner of a device disable these extensions but enable them by default.
Sep 23, 2013
#23 Andrew.D...@googlemail.com
I vote for enabled by default but with a disable checkbox in advanced options.
Oct 10, 2013
#24 kwaak...@gmail.com
I vote for checkbox. I know what I'm doing, and I want to do some normal IRC sessions on ipv6, so I want to disable it (and it is now enabled by default).
On my nexus 10 my irc sessions last an hour, on my CM10.2 they last 5 minutes. At least I can fix my CM10.2 ;-).
For those that think the MAC only reveals the brand. No, it reveals where you are. The last 64 bit is a unique id for your device without those privacy extensions. So others can track where you go. (There are clashes due to rollout bugs in mac addresses, but you can be sure you do not belong to those).
Oct 10, 2013
#25 tesla...@gmail.com
Simple authentication mechanisms and traffic control rely on static ips, it might not be best practice by the book but it works in many non critical scenarios.

Limiting options is never a good thing, even if it's for the own good of the unaware user (?!).
Furthermore one can't force privacy on people when they explicitly don't want it..

So my 2 cents on: enabled by default, option to disable it in advanced settings.

It's so reasonable that it's almost unbelievable it's missing.
Oct 10, 2013
#26 Andrew.D...@googlemail.com
The use of temp addresses does indeed bork up a number of other things.

I vote for "on by default but a checkbox to disable"

Those using mobile IP have already made the choice to use a invariant address. Just a shame that mip6d is not set up on Android.
Dec 2, 2013
#27 dua...@gmail.com
Will kitkat provide this option, or are we going to have to root them too?
Dec 3, 2013
#28 Andrew.D...@googlemail.com
The vast majority of the Android population do not have the option to root the phone. It should be assumed that if needs to be rooted to get "X" done, then for all practical purposes, "X" is not possible.
Sign in to add a comment

Powered by Google Project Hosting