macos Sierra with CGA address?

Holger Zuleger Holger.Zuleger at
Wed Dec 14 12:25:35 CET 2016

Hi Jeroen,

>> I found two or three posts in the internet, all mentioning (or hoping)
>> that this is related to a change to RFC7217 as default IID mechanism.
>> But one guy sad, that the source code (of 10.11) shows, that this is a
>> cryptographic generated interface identifier for SeND (RFC3971).
>> I tend to believe that the latter is true.
> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
> neither. And in the case of "Happy Eyeballs" there is no way to turn it
> off either. Filing radar bugs clearly does not help as they never get
> addressed or marked as 'dupe' at which point you do not know the status
> of the 'original' problem and well, nothing happens...

>> Has anyone more information about this? Especially how to configure it?
> The only trick I found out was:
> 8<-------
> Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
> stored the setting in /etc/sysctl.conf) recently? ;)
> --------->8
To be honest, that's definitively is not the way I like to go.

> As then you only get the DHCPd address (requires DHCPv6 server....) on
> your interface and not all the other magic ones that change all the time
> and are extremely useless if you want to ADDRESS a host...
> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
Oh no, DHCPv6 is not needed here.

The problem is *not* that this IID is changing. It is a stable one. And
yes, I vote not against temporary addresses.

> There are claimed 'good' properties of a changing address but mostly
> they are useless: "it works against tracking" which is useless if your
> /48 is static and there are only ~10 hosts in that prefix that call
> outbound. Also, something with HTTP Cookies for 99% of the other things.
> And I am really not lugging my 27" iMac around to get it in another
> network....
> Hence, a switch to turn if off.... would be amazing.
> The above trick kinda does that though and it mostly seem to work.
My info is, to set
	sysctl -w net.inet6.send.opstate=0
to go back to mac address based eui64, but didn't checked it.

There is another sysctl parameter (opmode) but unclear what 1 (or 0) means:
$ sysctl net.inet6.send
net.inet6.send.opstate: 1
net.inet6.send.opmode: 1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4160 bytes
Desc: S/MIME Cryptographic Signature
Url : 

More information about the ipv6-ops mailing list