@yuwata any chance of getting this merged?

@keszybz Thank you for the review. Updated. Now all your comments are addressed. Setting the green label.

LGTM.

Trying to use sytemd-249 and setting IPv6Token=prefixstable.
However, this address is not the same as what I get by directly setting addr_gen_mode=2 and the specifying stable_secret with sysctl. Additionally 'ip addr show' does not report this address as stable-privacy. Is there a way for me to specify stable_secret while using systemd-networkd? Is there a retain the stable-privacy address as generated by the kernel.

@disich I guess IPv6LinkLocalAddressGenerationMode=stable-privacy and IPv6StableSecretAddress= suffices what you want.

@yuwata
I am using these already but it only produces a stable-privacy link local address (fe80::) for me. The link local address using systemd-networkd is identical to what kernel generates by directly setting the parameters with sysctl.
However, for global address based on RA:
Looking into the systemd-249 code (my first attempt to understand this code), it appears /etc/machine-id is used.
Ref: networkd-ndisc.c in make_stableprivate_address.
r = sd_id128_get_machine_app_specific(NDISC_APP_ID, &secret_key);).
eventually sd_id128_get_machine reads /etc/machine-id.
Is this reading correct? Can we have an option that will generate global stable-privacy address as the kernel would.

@disich Right. The IPv6Token=prefixstable does NOT mean the generated address is the same as the one by kernel.
The RFC allows to use arbitrary hash func to generate the address.

@yuwata : Thanks, Agree thats its not about RFC compliance. Its about how stable my machine-id will be if we migrate to another linux distribution. We wanted to have the stable-privacy address to be constant even if we change distribution. So I was planning to hash the serial number of our embedded device (or something similar) and specify it as a stable-secret. A new ehancement in systemd-networkd which lets me specify stable secret for global ipv6 address would be awesome enhancement.
In parallel, I will check how we can keep our machine-id constant even if we migrate distributions.

@disich Yeah. As you can see, the address is generated with

1. machine-ID
2. interface name
3. prefix
4. (and internal counter)

So, keeping the same machine-ID and interface name should be basically enough when changing distribution.

@yuwata Appreciate you looking into. I think this is good for most but not for systems which deploy redundancy.
Our device is in a chassis with cards having 1:1 redundancy. Till now we only support eui64 so they get the same RA derived IP (they share same MAC but only Active brings up its network interface). However, they do not share the same machine-id. So this will cause them to get a different stable-privacy address.
Do you think the community may be willing to take up an enhancement to add a config file parameter where we can specify the stable_secret (instead of machine-id). Or provide an option where we can use this functionality from the kernel. Currently this is already allowed but only for link local address (using IPv6LinkLocalAddressGenerationMode).

@disich Let's discuss at #21345.