Disabling “secured” IPv6 addresses is macOS 10.12 Sierra

On older macOS versions, every network interface would have one IPv6 address autogenerated from its MAC address, easily identified by the characteristic “ff:fe” bytes in the middle of the host part:
$ ifconfig en0
[...]
ether 10:dd:b1:9f:6b:ba
inet6 fe80::12dd:b1ff:fe9f:6bba%en0 prefixlen 64 scopeid 0x4
inet6 2001:7c0:2012:4a:12dd:b1ff:fe9f:6bba prefixlen 64 autoconf
[...]

Since macOS 10.12 however, these were replaced with randomly-generated “secured” addresses:
$ ifconfig en0
[...]
ether 10:dd:b1:9b:d0:67
inet6 fe80::46:3b36:146:9857%en0 prefixlen 64 secured scopeid 0x4
inet6 2001:7c0:2012:4a:4e6:f1d1:dd90:c6b4 prefixlen 64 autoconf secured
[...]

Very little is known about these, besides a single mailing list post that discovered them. If you are running a server, you’ll want your IPv6 address to be deterministic so you can register it in DNS. Therefore, we need to revert to pre-10.12 behavior:

$ echo net.inet6.send.opmode=0 >> /etc/sysctl.conf
$ reboot

If you look at the source code of the XNU kernel (Search for the IN6_IFF_SECURED flag) and the IPConfiguration service in macOS 10.11 (the 10.12 source code hasn’t been released yet), you can see that the new behavior was already there, just not enabled by default like it is now. Also, we now know that the change wasn’t made to reflect RFC 7217 (Semantically Opaque Interface Identifiers) behavior, but rather implements RFC 3972 (Cryptographically Generated Addresses).

4 thoughts on “Disabling “secured” IPv6 addresses is macOS 10.12 Sierra

  1. Trev

    inet6 2001:7c0:2012:4a:4e6:f1d1:dd90:c6b4 prefixlen 64 autoconf secured

    Is not a cryptographically created IPv6 address as you say

    It is in fact the opposite! It is the “permanent” globally unique address for your interface.

    There is another ending with “prefixlen 64 autoconf temporary” which is the random “temporary” globally unique address from your IPv6 range. This one changes from time to time to preserve your privacy and is used for outgoing connections.

  2. Michael Kuron Post author

    Not true. The permanent address is derived from the MAC address by inserting ff:fe in the middle and flipping one bit. A Cryptographically Generated Address is generated once when the operating system is installed and remains permanent after that — until the operating is reinstalled or the network configuration is deleted. Please have a look at the RFC and the XNU source code for details.

  3. Trev

    Please point out the ff:fe in the address below from your blog with the secure attribute…

    inet6 2001:7c0:2012:4a:4e6:f1d1:dd90:c6b4 prefixlen 64 autoconf secured

    … yep, it’s not derived from the MAC address 🙂

    Neither is it “randomly generated” as my macOS Sierra “secured” IPv6 address just happens to be reachable from the Internet and is in fact part of the /56 pool assigned by by ISP.

  4. Michael Kuron Post author

    I never said that secured addresses are MAC-derived (i.e. contain the ff:fe). They are randomly generated, believe me. Just because they are random doesn’t mean that they are not valid, globally-reachable addresses — only the host part (the second half) is random, the network part (2001:7c0:2012:4a: in my case) comes from your router’s advertisements.

    If you don’t believe me that the secured addresses are randomly generated, please erase your hard drive and reinstall macOS Sierra. You will see that you get a different secured address that, from then on, persists across reboots.

    Again, please have a look at the RFC and XNU source code referenced in my original article before continuing to make incorrect claims.

Leave a Reply

Your email address will not be published. Required fields are marked *