diff options
author | Thomas Haller <thaller@redhat.com> | 2018-06-11 13:08:00 +0200 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2018-06-12 14:45:40 +0200 |
commit | fd878d826129141043e7b30e6521b23544c8967e (patch) | |
tree | a34b556fa095afb2d236b2de88ffcd521d039518 | |
parent | 92b8161578a546fe3dc86701a471938cfbd520fd (diff) | |
download | NetworkManager-fd878d826129141043e7b30e6521b23544c8967e.tar.gz |
examples: add ipv4.dhcp-client-id and ipv6.dhcp-duid to 30-anon.conf exampleth/dhcp-client-id
-rw-r--r-- | examples/nm-conf.d/30-anon.conf | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/examples/nm-conf.d/30-anon.conf b/examples/nm-conf.d/30-anon.conf index 28a9ae701a..3e879fc2d4 100644 --- a/examples/nm-conf.d/30-anon.conf +++ b/examples/nm-conf.d/30-anon.conf @@ -1,39 +1,44 @@ # Example configuration snippet for NetworkManager to # overwrite some default value for more privacy. -# Put it for example to /etc/NetworkManager/conf.d/30-anon.conf +# Drop this file for example to /etc/NetworkManager/conf.d/30-anon.conf # # See man NetworkManager.conf(5) for how default values # work. See man nm-settings(5) for the connection properties. # # -# This enables privacy setting by default. The defaults +# This enables some privacy setting by default. The defaults # apply only to settings that do not explicitly configure # a per-connection override. # That means, if the connection profile has # # $ nmcli connection show "$CON_NAME" | -# grep '^\(connection.stable-id\|ipv6.addr-gen-mode\|ipv6.ip6-privacy\|802-11-wireless.cloned-mac-address\|802-11-wireless.mac-address-randomization\|802-3-ethernet.cloned-mac-address\)' +# grep '^\(connection.stable-id\|ipv6.addr-gen-mode\|ipv6.ip6-privacy\|802-11-wireless.cloned-mac-address\|802-11-wireless.mac-address-randomization\|802-3-ethernet.cloned-mac-address\|ipv4.dhcp-client-id\|ipv6.dhcp-duid\)' # connection.stable-id: -- # 802-3-ethernet.cloned-mac-address: -- # 802-11-wireless.cloned-mac-address: -- # 802-11-wireless.mac-address-randomization:default +# ipv4.dhcp-client-id: -- # ipv6.ip6-privacy: -1 (unknown) # ipv6.addr-gen-mode: stable-privacy +# ipv6.dhcp-duid: -- # # then the default values are inherited and thus both the MAC -# address and the IPv6 host identifier are randomized. +# address, IPv6 host identifier, and DHCP identifiers are randomized. # Also, ipv6 private addresses (RFC4941) are used in # addition. # # +# The connection's stable-id is really a token associated with the identity +# of the connection. It means, by setting it to different values, different +# addresses and DHCP options are generated. # For some profiles it can make sense to reuse the same stable-id -# (and thus MAC address and IPv6 host identifier) for the duration +# (and thus share MAC address and IPv6 host identifier) for the duration # of the current boot, but still exclusive to the connection profile. # Thus, explicitly set the stable-id like: # # $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}/${BOOT}' # -# ... or keep it stable accross reboots, still distinct per profile: +# ... or keep it stable accross reboots, but still distinct per profile: # # $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}' # @@ -53,3 +58,23 @@ connection.stable-id=${RANDOM} ethernet.cloned-mac-address=stable wifi.cloned-mac-address=stable ipv6.ip6-privacy=2 + +# RFC 7844 "DHCP Anonymity Profiles" mandates in combination with +# MAC address randomization: +# connection.stable-id=${RANDOM} +# ethernet.cloned-mac-address=stable +# wifi.cloned-mac-address=stable +# ipv4.dhcp-client-id=mac +# ipv6.dhcp-duid=ll +# In case, the interface cannot use MAC address randomization, +# RFC 7844 recomments +# connection.stable-id=${RANDOM} +# ipv4.dhcp-client-id=stable +# ipv6.dhcp-duid=stable-llt +# See https://tools.ietf.org/html/rfc7844#section-3.5 +# https://tools.ietf.org/html/rfc7844#section-4.3 +# +# In this example however, the defaults are set to a stable identifier +# depending on the connection.stable-id. +ipv4.dhcp-client-id=stable +ipv6.dhcp-duid=stable-uuid |