Two independent mechanisms in Linux protect you from being tracked on WiFi networks: MAC address randomization (at the hardware identity layer) and IPv6 temporary addresses (at the network address layer). Both are privacy features, and both can cause NetworkManager to fire NetworkChanged events that disrupt long-lived connections.
MAC address randomization
The tracking problem
Every network interface has a MAC address (Media Access Control address) — a 48-bit identifier burned into the hardware (e.g. e4:5f:01:ab:cd:ef). When your laptop scans for WiFi networks, it broadcasts probe request frames — essentially shouting “is network X here?” — and those frames include your MAC as the source address.
Because a hardware MAC is globally unique and permanent, any observer with a WiFi receiver (a shop, an airport, a tracker on the street) can log your MAC and recognize your device the next time you walk by, even if you never connect to their network.
How NM randomizes it
NetworkManager randomizes the MAC address of the WiFi adapter on every scan by default. Each probe request goes out with a freshly generated random MAC, so passive observers see a different “device” each time and cannot correlate scans across time or location.
This is purely a scanning protection. Once you associate to a network, NM can optionally use a stable random MAC per SSID — always the same MAC for your home network, different from your work network, but neither is your real hardware MAC.
The side effect
If the MAC changes while you are connected (or on reconnect), the DHCP server sees what looks like a new client and assigns a new IP address. A new IP fires a NetworkChanged D-Bus signal. Fix: disable scan randomization in NixOS:
networking.networkmanager.wifi.scanRandMacAddress = false;IPv6 temporary addresses — RFC 4941
The tracking problem
When IPv6 was designed, the standard way to assign yourself an address (SLAAC — Stateless Address Autoconfiguration, RFC 4862) was to take the network prefix from the router and append your MAC address, converted to a 64-bit EUI-64 identifier. For example, MAC e4:5f:01:ab:cd:ef becomes the interface ID e65f:01ff:feab:cdef, giving you a globally unique, permanent IPv6 address.
The problem: every website and server you connect to sees this address. Because it embeds your MAC, it is as unique and permanent as a serial number. You can be tracked across networks and across time just from your IPv6 address.
RFC 4941 — Privacy Extensions for SLAAC
RFC 4941 (published 2007, updated 2022 as RFC 8981) defines privacy extensions for SLAAC. Instead of using the MAC-derived EUI-64 as the interface ID, the kernel generates a random 64-bit interface ID and uses that to form a temporary address. Key properties:
- The temporary address rotates on a schedule — typically preferred for 24 hours, valid for 7 days, then a new one is generated
- The old address stays valid (but deprecated) for the remainder of its 7-day lifetime, so existing connections are not abruptly cut
- The kernel keeps a stable address (MAC-derived or otherwise stable) for incoming connections; the temporary address is used for outbound connections
At any given time you may have 2–3 active IPv6 addresses on the same interface:
nmcli dev show wlp1s0 | grep IP6
# IP6.ADDRESS[1]: 2601:...::afc1/128 ← stable (MAC-derived), used for incoming
# IP6.ADDRESS[2]: 2601:...ca3b:.../64 ← current temporary, used for outbound
# IP6.ADDRESS[3]: 2601:...6c7f:.../64 ← previous temporary, still valid but deprecatedThe side effect
Each rotation generates a new preferred address, which the kernel reports as an address change. NetworkManager receives this via a kernel netlink event and fires a NetworkChanged D-Bus signal. Browsers re-evaluate their connections; WebSocket connections may drop.
On a machine that is rarely rebooted, with an active WiFi connection, this can fire every few hours indefinitely. Disable in NixOS if stability matters more than privacy:
networking.tempAddresses = "disabled";This reverts to a single stable IPv6 address derived from your MAC. You lose the privacy protection but eliminate the rotation events.
Summary
| Mechanism | Protects against | Layer | NM side effect |
|---|---|---|---|
| MAC scan randomization | Device tracking during WiFi scanning | L2 — hardware identity | New IP on reconnect → NetworkChanged |
| IPv6 temporary addresses (RFC 4941) | Address tracking across sites/sessions | L3 — network identity | Address rotation every few hours → NetworkChanged |