macos Sierra with CGA address?

Jeroen Massar jeroen at
Wed Dec 14 12:40:05 CET 2016

On 2016-12-14 12:25, Holger Zuleger wrote:
> Hi Jeroen,
>>> I found two or three posts in the internet, all mentioning (or hoping)
>>> that this is related to a change to RFC7217 as default IID mechanism.
>>> But one guy sad, that the source code (of 10.11) shows, that this is a
>>> cryptographic generated interface identifier for SeND (RFC3971).
>>> I tend to believe that the latter is true.
>> Seeing how Apple implemented things like "Happy Eyeballs" it likely is
>> neither. And in the case of "Happy Eyeballs" there is no way to turn it
>> off either. Filing radar bugs clearly does not help as they never get
>> addressed or marked as 'dupe' at which point you do not know the status
>> of the 'original' problem and well, nothing happens...
>>> Has anyone more information about this? Especially how to configure it?
>> The only trick I found out was:
>> 8<-------
>> Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
>> stored the setting in /etc/sysctl.conf) recently? ;)
>> --------->8
> To be honest, that's definitively is not the way I like to go.
>> As then you only get the DHCPd address (requires DHCPv6 server....) on
>> your interface and not all the other magic ones that change all the time
>> and are extremely useless if you want to ADDRESS a host...
>> (yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)
> Oh no, DHCPv6 is not needed here.

Until Sierra, I didn't have any DHCPv6 either... but now I do because I
really love my static and known addresses. People know I have a Mac
anyway, thus what info am I losing there?

> The problem is *not* that this IID is changing. It is a stable one. And
> yes, I vote not against temporary addresses.

Actually, it is not a stable address as some have found out (read:
anecdotal), they also change at re-install and there are a couple of
other possibilities from what I recall.

Unfortunately, documentation about all of this is completely lacking...

The maxifprefixes does what it needs to do for me: only allow using of
DHCPv6'd addresses.

But indeed, that was a pure guess to enable that.

>> There are claimed 'good' properties of a changing address but mostly
>> they are useless: "it works against tracking" which is useless if your
>> /48 is static and there are only ~10 hosts in that prefix that call
>> outbound. Also, something with HTTP Cookies for 99% of the other things.
>> And I am really not lugging my 27" iMac around to get it in another
>> network....
>> Hence, a switch to turn if off.... would be amazing.
>> The above trick kinda does that though and it mostly seem to work.
> My info is, to set
> 	sysctl -w net.inet6.send.opstate=0
> to go back to mac address based eui64, but didn't checked it.
> There is another sysctl parameter (opmode) but unclear what 1 (or 0) means:
> $ sysctl net.inet6.send
> net.inet6.send.opstate: 1
> net.inet6.send.opmode: 1

There is no documentation at all about these things, hence, nothing one
can say about it, except begging Apple to finally document stuff.

google("net.inet6.send.opstate") has 76 hits, going back to 2014-ish,
and those switches where in El Capitan (10.9) already.

The change with random addresses came with Sierra though as Iljitsch
wrote here:


More information about the ipv6-ops mailing list