examples: add ipv4.dhcp-client-id and ipv6.dhcp-duid to 30-anon.conf exampleth/dhcp-client-id

1 files changed, 31 insertions, 6 deletions

diff --git a/examples/nm-conf.d/30-anon.conf b/examples/nm-conf.d/30-anon.conf
index 28a9ae701a..3e879fc2d4 100644
--- a/examples/nm-conf.d/30-anon.conf
+++ b/examples/nm-conf.d/30-anon.conf
@@ -1,39 +1,44 @@
 # Example configuration snippet for NetworkManager to
 # overwrite some default value for more privacy.
-# Put it for example to /etc/NetworkManager/conf.d/30-anon.conf
+# Drop this file for example to /etc/NetworkManager/conf.d/30-anon.conf
 #
 # See man NetworkManager.conf(5) for how default values
 # work. See man nm-settings(5) for the connection properties.
 #
 #
-# This enables privacy setting by default. The defaults
+# This enables some privacy setting by default. The defaults
 # apply only to settings that do not explicitly configure
 # a per-connection override.
 # That means, if the connection profile has
 #
 #   $ nmcli connection show "$CON_NAME" |
-#       grep '^\(connection.stable-id\|ipv6.addr-gen-mode\|ipv6.ip6-privacy\|802-11-wireless.cloned-mac-address\|802-11-wireless.mac-address-randomization\|802-3-ethernet.cloned-mac-address\)'
+#       grep '^\(connection.stable-id\|ipv6.addr-gen-mode\|ipv6.ip6-privacy\|802-11-wireless.cloned-mac-address\|802-11-wireless.mac-address-randomization\|802-3-ethernet.cloned-mac-address\|ipv4.dhcp-client-id\|ipv6.dhcp-duid\)'
 #   connection.stable-id:                   --
 #   802-3-ethernet.cloned-mac-address:      --
 #   802-11-wireless.cloned-mac-address:     --
 #   802-11-wireless.mac-address-randomization:default
+#   ipv4.dhcp-client-id:                    --
 #   ipv6.ip6-privacy:                       -1 (unknown)
 #   ipv6.addr-gen-mode:                     stable-privacy
+#   ipv6.dhcp-duid:                         --
 #
 # then the default values are inherited and thus both the MAC
-# address and the IPv6 host identifier are randomized.
+# address, IPv6 host identifier, and DHCP identifiers are randomized.
 # Also, ipv6 private addresses (RFC4941) are used in
 # addition.
 #
 #
+# The connection's stable-id is really a token associated with the identity
+# of the connection. It means, by setting it to different values, different
+# addresses and DHCP options are generated.
 # For some profiles it can make sense to reuse the same stable-id
-# (and thus MAC address and IPv6 host identifier) for the duration
+# (and thus share MAC address and IPv6 host identifier) for the duration
 # of the current boot, but still exclusive to the connection profile.
 # Thus, explicitly set the stable-id like:
 #
 #   $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}/${BOOT}'
 #
-# ... or keep it stable accross reboots, still distinct per profile:
+# ... or keep it stable accross reboots, but still distinct per profile:
 #
 #   $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}'
 #
@@ -53,3 +58,23 @@ connection.stable-id=${RANDOM}
 ethernet.cloned-mac-address=stable
 wifi.cloned-mac-address=stable
 ipv6.ip6-privacy=2
+
+# RFC 7844 "DHCP Anonymity Profiles" mandates in combination with
+# MAC address randomization:
+#   connection.stable-id=${RANDOM}
+#   ethernet.cloned-mac-address=stable
+#   wifi.cloned-mac-address=stable
+#   ipv4.dhcp-client-id=mac
+#   ipv6.dhcp-duid=ll
+# In case, the interface cannot use MAC address randomization,
+# RFC 7844 recomments
+#   connection.stable-id=${RANDOM}
+#   ipv4.dhcp-client-id=stable
+#   ipv6.dhcp-duid=stable-llt
+# See https://tools.ietf.org/html/rfc7844#section-3.5
+#     https://tools.ietf.org/html/rfc7844#section-4.3
+#
+# In this example however, the defaults are set to a stable identifier
+# depending on the connection.stable-id.
+ipv4.dhcp-client-id=stable
+ipv6.dhcp-duid=stable-uuid