DHCPv6 Leases / MAC security issue / custom suffix

ffries · August 5, 2017, 7:38am

Hello,

Stateless/Statefull IPv6 addressing works perfectly in LEDE. I can receive a /48 delegation and server a full /60 split into several /64. All routing works and I am delighted.

I configured each host with "unguesssable" full-public hostname:
myhost-1nd8bck1324.mydomain.com

In LAN interface, I selected an "IPv6 assignment hint" for delegation, which gives more security.
I could not choose a suffix method (does not work)

The only "glitch" is that all my IPv6 public addresses are derived from MAC, which allows to explore the topology of my network (?). I am not sure of that, but it could be a security issue. If you have a list of all LEDE routers and their MAC addresses, it could restrict the number of possible hosts in a /64 and find them easily using pings. In /48 you are protected (relatively) by the 'hint' value making a /64. Anyhow, an attacker sniffing ONE IPv6 address with /64 in your network knows the subrange and can test all devices using ping6.

Am-I right to believe that?

Therefore i am trying to set-up IPv6 via dhcp addressing with custom suffix.

A sample config in /etc/conf/dhcp:

config host
option name 'test-kieyei9edaemi9ai'
option dns '1'
option mac '00:16:3e:f0:16:3a'
option ip '192.168.2.209'
option hostid '42de:812c'

hostid '42de:812c' was set in LuCI ...
How can I set the suffix of my IPv6 guest in LEDE?

i am trying a Debian guest, but it is still received automatic IPv6 addressing derived from MAC.
How can I use this "hostid" in Debian DHCP?
Otherwize, the only remaining possibility is IPv6 static addressing.

Any comments and help welcome.

Kind regards,

ffries · August 5, 2017, 8:32am

Should I use odhc from Debian experimental, like explained here:
https://www.abyssproject.net/2016/08/configurer-ipv6-chez-online-net/

dedeckeh · August 5, 2017, 12:32pm

The ip6ifaceid parameter in the interface network config is not well documented but it allows to configure how the IPv6 address is being created on the lan interface taking into account the security aspect.
It can hold the following values

random => Will assign a random IPv6 address from the delegated subprefix to the lan interface
eui64 => An eui64 IPv6 address from the delegated subprefix will be assigned to the lan interface; thus based on the mac address
numerical value (eg ::1234) => Suffix id to be added to the delegated subprefix

Custom suffixes for hosts can be defined via the dhcp host section either based on the host mac address or the duid option.
But this requires the host is doing statefull DHCPv6 and the duid option used by the host is known as hosts are identified either by the configured duid or the mac address send in the duid option

ffries · August 6, 2017, 9:05pm

Thanks.

Default is stateless + statefull.
When selecting statefull, is duid supported by LuCI?

dedeckeh · August 7, 2017, 8:06pm

Personally I don't use LuCI; maybe @hnyman can answer this question if duid is supported by LuCI

hnyman · August 7, 2017, 8:25pm

Not quite sure
I think that supporting duid was discussed in spring, but the item was never finalised: https://github.com/openwrt/luci/pull/993