Bug 495496

Summary: Disabling IPv6 privacy doesn't change addr-gen-mode to 0 to disable privacy
Product: [Applications] systemsettings Reporter: Odin Vex <odin.vex>
Component: kcm_networkmanagementAssignee: Plasma Bugs List <plasma-bugs-null>
Status: REPORTED ---    
Severity: normal CC: doug.hs, jgrulich
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Manjaro   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Odin Vex 2024-10-28 17:36:15 UTC 
SUMMARY
Whenever I disable IPv6 privacy via the editor it resets addr-gen-mode back to stable-privacy instead of 0.


STEPS TO REPRODUCE
1. Edit any network profile that uses IPv6.
2. Disable IPv6 Privacy, apply/save.

OBSERVED RESULT
Notice that IPv6 privacy is not disabled (/etc/NetworkManager/system-connections/*.conf), addr-gen-mode must be 0 for it to disable.

EXPECTED RESULT
addr-gen-mode should be set to 0 to disable IPv6 privacy.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Latest via Manjaro (stable)
KDE Plasma Version: 6.15
KDE Frameworks Version: 6.6.0
Qt Version: 6.7.2

ADDITIONAL INFORMATION
None.
Comment 1 Douglas Silva 2025-05-04 15:56:25 UTC 
It's not meant to set `addr-gen-mode` (RFC 7217), only `ip6-privacy=0` (RFC 4941).

The editor lacks support for the `addr-gen-mode` option, for which I'm opening a feature request right now.

See:
- https://networkmanager.dev/docs/api/latest/nm-settings-nmcli.html#id-1.2.9.4.21
- https://superuser.com/a/243713
Comment 2 Douglas Silva 2025-05-04 16:10:11 UTC 
In other words, the option you're changing in the editor refers to RFC 4941 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6), which creates temporary addresses to be used for outgoing connections.

`addr-gen-mode` defines how the interface identifier of your public IPv6 addresses is generated — it doesn't apply to the "privacy addresses". Setting it to `stable-privacy` makes it create stable IIDs that don't expose your real hardware MAC address, while `eui64` creates IIDs based on your MAC.
Comment 3 Odin Vex 2025-05-04 23:18:05 UTC 
(In reply to Douglas Silva from comment #2)
> In other words, the option you're changing in the editor refers to RFC 4941
> (Privacy Extensions for Stateless Address Autoconfiguration in IPv6), which
> creates temporary addresses to be used for outgoing connections.
> 
> `addr-gen-mode` defines how the interface identifier of your public IPv6
> addresses is generated — it doesn't apply to the "privacy addresses".
> Setting it to `stable-privacy` makes it create stable IIDs that don't expose
> your real hardware MAC address, while `eui64` creates IIDs based on your MAC.

Setting `privacy` to *disabled* doesn't get me a non-private address, that's the problem. Disabled means disabled, not 'stable-privacy'. Only setting `addr-gen-mode` to 0 and restarting NetworkManager *again* will get me a real, non-private address ('eui64').
Comment 4 Douglas Silva 2025-05-04 23:39:19 UTC 
(In reply to Odin Vex from comment #3)
> (In reply to Douglas Silva from comment #2)
> > In other words, the option you're changing in the editor refers to RFC 4941
> > (Privacy Extensions for Stateless Address Autoconfiguration in IPv6), which
> > creates temporary addresses to be used for outgoing connections.
> > 
> > `addr-gen-mode` defines how the interface identifier of your public IPv6
> > addresses is generated — it doesn't apply to the "privacy addresses".
> > Setting it to `stable-privacy` makes it create stable IIDs that don't expose
> > your real hardware MAC address, while `eui64` creates IIDs based on your MAC.
> 
> Setting `privacy` to *disabled* doesn't get me a non-private address, that's
> the problem. Disabled means disabled, not 'stable-privacy'. Only setting
> `addr-gen-mode` to 0 and restarting NetworkManager *again* will get me a
> real, non-private address ('eui64').

As far as I know, `stable-privacy` gives you a public stable address, which should not change. Its name can be misleading.

However, if you have a dynamic GUA address (when your ISP refuses to give you a static prefix), then the address generated with `stable-privacy` will change every time the ISP updates your prefix; in such cases, you have to use EUI64.
Comment 5 Odin Vex 2025-05-04 23:54:11 UTC 
(In reply to Douglas Silva from comment #4)
> (In reply to Odin Vex from comment #3)
> > (In reply to Douglas Silva from comment #2)
> > > In other words, the option you're changing in the editor refers to RFC 4941
> > > (Privacy Extensions for Stateless Address Autoconfiguration in IPv6), which
> > > creates temporary addresses to be used for outgoing connections.
> > > 
> > > `addr-gen-mode` defines how the interface identifier of your public IPv6
> > > addresses is generated — it doesn't apply to the "privacy addresses".
> > > Setting it to `stable-privacy` makes it create stable IIDs that don't expose
> > > your real hardware MAC address, while `eui64` creates IIDs based on your MAC.
> > 
> > Setting `privacy` to *disabled* doesn't get me a non-private address, that's
> > the problem. Disabled means disabled, not 'stable-privacy'. Only setting
> > `addr-gen-mode` to 0 and restarting NetworkManager *again* will get me a
> > real, non-private address ('eui64').
> 
> As far as I know, `stable-privacy` gives you a public stable address, which
> should not change. Its name can be misleading.
> 
> However, if you have a dynamic GUA address (when your ISP refuses to give
> you a static prefix), then the address generated with `stable-privacy` will
> change every time the ISP updates your prefix; in such cases, you have to
> use EUI64.

Again, the issue is "Privacy: Disabled" should mean Disabled. (eg addr-gen-mode=0). So if my MAC were A1-B2-C3-D4-E5-F6 and my IPv6 prefix were a 26FE:DCBA:9876:5400/64, then the address expected (via DHCPv6) would be 26FE:DCBA:9876:5400:A3B2:C3FF:FED4:E5F6.
Comment 6 Odin Vex 2025-05-04 23:55:14 UTC 
(This issue is specifically about "Disabled" needing to actually mean Disabled, as in no 'stable-privacy' because that's the opposite of Disabled. Stable-privacy is privacy (to any extent).)