macos Sierra with CGA address?

Wed Dec 14 12:08:41 CET 2016

On 2016-12-14 11:55, Holger Zuleger wrote:
> Hi,
> 
> I just realized that the permanent interface identifier of my MAC has
> changed after upgrading to OS 10.12 (I guess).
> 
> The output of ifconfig shows a new "secured" flag at the permanent address.
> $ ifconfig en0 | grep inet6 | \
>>       sed "s/2[^:]*:[^:]*:[^:]*:[^:]*:/<prfx48>:/"
> inet6 fe80::c54:6333:ac12:c67b%en0 prefixlen 64 secured scopeid 0x4
> inet6 <prfx48>:20e3:84f6:6794:5ace prefixlen 64 autoconf secured
> inet6 <prfx48>:8822:a8a3:b6ec:a79b prefixlen 64 autoconf temporary
> 
> I found two or three posts in the internet, all mentioning (or hoping)
> that this is related to a change to RFC7217 as default IID mechanism.
> 
> But one guy sad, that the source code (of 10.11) shows, that this is a
> cryptographic generated interface identifier for SeND (RFC3971).
> 
> I tend to believe that the latter is true.

Seeing how Apple implemented things like "Happy Eyeballs" it likely is
neither. And in the case of "Happy Eyeballs" there is no way to turn it
off either. Filing radar bugs clearly does not help as they never get
addressed or marked as 'dupe' at which point you do not know the status
of the 'original' problem and well, nothing happens...

> Has anyone more information about this? Especially how to configure it?

The only trick I found out was:

https://twitter.com/tweetsix/status/778615624444571649
8<-------
Also who has typed: "sudo sysctl -w net.inet6.ip6.maxifprefixes=1" (or
stored the setting in /etc/sysctl.conf) recently? ;)
--------->8

As then you only get the DHCPd address (requires DHCPv6 server....) on
your interface and not all the other magic ones that change all the time
and are extremely useless if you want to ADDRESS a host...
(yes, I love VNC'ing, SSH'ing and doing SSH-backups of my boxes...)

There are claimed 'good' properties of a changing address but mostly
they are useless: "it works against tracking" which is useless if your
/48 is static and there are only ~10 hosts in that prefix that call
outbound. Also, something with HTTP Cookies for 99% of the other things.
And I am really not lugging my 27" iMac around to get it in another
network....

Hence, a switch to turn if off.... would be amazing.
The above trick kinda does that though and it mostly seem to work.

With the trend that Apple is taking with their hardware line that
actually runs OSX ehmm MacOS, it seems that swapping platforms is a
likely next step for a lot of people...

2016 was supposed to be the year of IPv6 (201_IPv_6), which indeed
worked a wee bit, but maybe 2026 is the actual goal of many companies;
thus maybe 2017 is going to be the year of Linux on the Desktop? :)

Anybody already coded up a Little Snitch equiv for OpenBSD? :)

Greets,
 Jeroen