IPv6 not using temporary address / ignoring privacy extensions

[obel1x]

i am using ddclient 3.11.2 on current linux stable opensuse leap 15.5 to make one device available in the internet. Only the ipv6 address should be connected to a dns record, ipv4 is assigned to another device and not relevant.

ddclient is configured for testing to usev6=ifv6,if=wlan0 which works well to resolve the fqdn to the host, everything works that way.
But i have privacy extensions turned on and have one ipv6 address "scope global dynamic noprefixroute" and one "scope global temporary dynamic".
The temporary address is more private, cause it won't have my mac included. In my setup, ddclient uses the dynamic instead of the temporary one. I would like to tell ddclient to use the temporary address for privacy.

Is there any switch/option i have missed to tell ddclient to check for temporary ipv6 ? If not, why is that not the default? I would encourage making this the default behaviour to respect privacy.

if there is not switch, i read about cmdv6, but found no example, nor any documentation for cmdv6. Could anyone tell my how to set cmdv6 to result in temporary address or some link to the docs?

[rhansen]

Looks like temporary addresses are intentionally excluded:

ddclient/ddclient.in

Line 3188 in e291987

@reply = grep(!/\bdeprecated\b|\btemporary\b/, @reply); # Remove deprecated and temporary

I'm not sure why they are excluded.

I'm not opposed to adding support for temporary addresses, but I'm reluctant to use them by default because some users might currently rely on the permanent address (e.g., using the temporary causes too many updates, or resource record TTL is greater than the temporary address lifetime).

If privacy is a concern, I think that using a RFC7217 address for ddclient is superior to a temporary address. I recognize that not all systems support that RFC yet; Linux users should see sysctl -aN | grep stable_secret (documentation).

[obel1x]

@rhansen

thank you for the analysis. I am not really sure about RFC7217, here is my output:

/ # sysctl -aN | grep stable_secret
net.ipv6.conf.all.stable_secret
net.ipv6.conf.default.stable_secret
net.ipv6.conf.eth0.stable_secret
net.ipv6.conf.lo.stable_secret
net.ipv6.conf.wlan0.stable_secret

So i guess, is has not been set by system-setup as documentation says while this is the default.
I do think it would be a good thing to do, but that would be another setup.

For setups that do not have RFC7217 (SLAAC) enabled and are using privacy extenstions like this, the temporary address should be an option to choose from if you agree.

So my proposal is, to introduce a new option like
usev6_temporary_default=true|false
to make temporary addresses the default for those users, who wish to use them.

Would this be a good way in your opinion?

[rhansen]

sysctl -aN just lists available options; they'll need to be set to something. You can use sysctl for that, but it's better to let whatever your system uses to manage network connections (NetworkManager, systemd-networkd, netplan, ifupdown, etc.) set the values for you. See https://superuser.com/a/243713 for a good starting point.

So my proposal is, to introduce a new option like usev6_temporary_default=true|false

Sounds good to me, though I think I would prefer ipv6-prefer-temporary.