How/why did Sierra change IPv6 addresses?

Question

How/why did Sierra change IPv6 addresses?

The permanent ipv6 address of my machines changed with the advent of macOS Sierra.

Note that we're not talking about the privacy enhanced temporary addresses. What I'm talking about happens even with "sysctl -w net.inet6.ip6.use_tempaddr=0" in effect.

The difference is that ifconfig shows a "secured" flag on the end of both the link-local and prefix-assigned addresses on Ethernet and WiFi interfaces. The host portion of the address differs from what the EUI-64 expansion of the host MAC address ostensibly would be. Additionally, the 0x2 bit of the top byte of the host portion is zero, which indicates that it's a "non-unique" address, though the addresses do seem to remain consistent across reboots.

My guess is that Apple is constructing the host portion of the link-local address by running the EUI-64 through a cryptographic hash function or something like that.

Is this new addition to sierra documented anywhere? Can it be turned on or off?

Posted on Sep 26, 2016 8:27 AM

Reply

Answer 1

pilif

Level 1

4 points

Nov 17, 2016 4:12 AM in response to Nicholas Sayer

I would say they are using RFC 7217 (https://tools.ietf.org/html/rfc7217) to do this.

There's no known way to turn it off, but the address will be stable if the prefix doesn't change, so just update your firewall rules and DNS entries and be done with it.

Reply

Answer 2

Bachsau

Level 1

4 points

Dec 6, 2016 7:02 PM in response to pilif

And exactly that is the problem: If you are on a dial-up network which changes its prefix on every login, you also get a new "stable" address, which, in fact, is not stable anymore.

It might be a good change for the majority of users, but there should definitely be a way to change address generation back to EUI 64.

Reply