Bug#859270: OpenSSH should make it possible to explicitly chose public (long-lived) IPv6 address over temporary (anti-tracking) IPv6 address
Package: openssh-client
Version: 1:6.7p1-5+deb8u3
Executive summary: Browsers need short-lived addresses which can't be
tracked whereas ssh needs long-lived addresses which ensure that
connections aren't cut after a couple of hours.
Long explanation:
By default, IPv6 creates client addresses which contain the client PC's
MAC address, which exposes the user to tracking by malicious web
servers or ad networks.
That's why RFC 3041 introduced privacy extensions which allow to set up
"temporary" addresses which don't contain the MAC, but which are
recycled quickly. The temporary address is defined in _addition_ to the
public address. The temporary address is to be used for outgoing
connection by exposed programs, such as web browsers. The public
address is to be used for incoming connections (where PC is a server),
and by long-lived clients such as openssh which connect to trusted
servers
https://home.regit.org/2011/04/ipv6-privacy/
sysctl -w net.ipv6.conf.eth0.use_tempaddr=2
The issue: openssh too uses the temporary address, leading to
connection interruptions whenever the address cycles, or at least such
behavior should be configurable.
Openssh should use
setsockopt(socket, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, &value,
sizeof(value))
to explicitly opt for the public address.
See also this bug on RedHat (which suggests to make the behavior
configurable):
https://bugzilla.redhat.com/show_bug.cgi?id=512032
Thanks,
Alain
Reply to: