Hm, my experience is different:
nmcli -f 'connection.stable-id,802-11-wireless.cloned-mac-address,802-11-wireless.mac-address-randomization,802-3-ethernet.cloned-mac-address,ipv4.dhcp-client-id,ipv6.addr-gen-mode,ipv6.dhcp-duid,ipv6.ip6-privacy' connection show [wifi network]
connection.stable-id: --
802-11-wireless.cloned-mac-address: --
802-11-wireless.mac-address-randomization:default
ipv4.dhcp-client-id: --
ipv6.addr-gen-mode: eui64
ipv6.dhcp-duid: --
ipv6.ip6-privacy: -1 (unknown)
eui64
indicates that my MAC address would be used. Setting ipv6.addr-gen-mode
explicitly might work. Btw my Ethernet port had stable-privacy
set for some reason.
I believe eui64
is set as /etc/NetworkManager/NetworkManager.conf
has the keyfile plugin configured on debian-11 (which I use) by default. On Fedora that appears to be different.
man nm-settings
:
addr-gen-mode
Configure method for creating the address for use with RFC4862 IPv6 Stateless Address Autoconfiguration. The permitted values are:
NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_EUI64 (0) or NM_SETTING_IP6_CONFIG_ADDR_GEN_MODE_STABLE_PRIVACY (1). If the property is set to EUI64, the
addresses will be generated using the interface tokens derived from hardware address. This makes the host part of the address to stay
constant, making it possible to track host's presence when it changes networks. The address changes when the interface hardware is replaced.
The value of stable-privacy enables use of cryptographically secure hash of a secret host-specific key along with the connection's stable-id
and the network address as specified by RFC7217. This makes it impossible to use the address track host's presence, and makes the address
stable when the network interface hardware is replaced. On D-Bus, the absence of an addr-gen-mode setting equals enabling stable-privacy. For
keyfile plugin, the absence of the setting on disk means EUI64 so that the property doesn't change on upgrade from older versions. Note that
this setting is distinct from the Privacy Extensions as configured by "ip6-privacy" property and it does not affect the temporary addresses
configured with this option.
Not sure why the NetworkManager developers decided to use privacy friendly settings only when a certain plugin is disabled. So at least on debian that setting isn’t optional.
Anyway the recommendations at [1] are based on [2], which I guess should be reliable.
I’m still unsure whether
ipv4.dhcp-client-id=stable
ipv6.dhcp-duid=stable-uuid
makes sense as well, but I guess I’ll add that, too.
[1] https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md#randomize-all-ethernet-and-wifi-connections
[2] examples/nm-conf.d/30-anon.conf · main · NetworkManager / NetworkManager · GitLab