Feature request - Control of IPv6 source address selection

[Brandon Applegate]

Hello,

Disclaimer: Apologies if this has been covered on this list before.  From my google searches - I haven’t seen it (i.e. a thread on this list archive).

I’d love for there to be a config option to control IPv6 source address selection - specifically temp/privacy vs. non.  The issue that I (and others over the years) see is that when there is a long lived ssh connection (i.e. days or > 1 week) - if this connection was sourced from a temp/privacy address - the socket will get killed when this address finally expires and falls off the interface.  Being able to turn a knob and get client connections initiated from a non-privacy address would be great.

There have been some bug reports in downstream projects over time:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859270

https://bugzilla.redhat.com/show_bug.cgi?id=512032

The RedHat bug even has some patches submitted - albeit on very old source at this point.  I do think there is good discussion in these - especially the RedHat bug.

Beyond implementing it - the one thing that springs to my mind that might be a point of discussion would be what the default is - i.e. source from privacy or source from “public”.  My (selfish) opinion would be to default from public (to allow long lived connections by default).

However, defaulting to using privacy addresses ensures that users who aren’t even aware of this knob would still enjoy the benefits of privacy addresses.

--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
0641 D285 A36F 533A 73E5  2541 4920 533C C616 703A
"For thousands of years men dreamed of pacts with demons.
Only now are such things possible."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170828/a4b5f8d6/attachment.asc>