Dummydevice and IPv6

I've created a dummydevice to run on I would like to know what is the correct way to setup an IPv6 address for it. Sth. like ::2 is not possible (just my first thought :smiley: ). So I want to know what address is the best choice?
I've set it to fe80::2 for IPv6. My thinking is that I could choose any fe80 to keep it local. And I want to know if this is an issue in terms of security:

inet6 ::1/128 scope host
inet6 fe80::1/128 scope link

WWW is telling me:

Host: A route has host scope when it leads to a destination address on the local host.
Link: A route has link scope when it leads to a destination address on the local network.

But I don't really know if this could be a "problem". Am I right that I cannot have more than one device with "scope host"?

Just for completeness. I've set it up to run a second dnsmasq instance and stub resolver on it and to make firewalling more clearly for me. All is working fine.

There was some RFC draft for allocating a larger subnet for host addresses but it didn't pass eventually.
Most of the people suggest to use ULA for additional locahost IPv6 addresses.
Something like this:

config interface 'loop2'
        option ifname '@loopback'
        option proto 'static'
        list ipaddr ''
        list ip6addr 'fd00::2/128'

It cannot be routed to the internet, it can however be routed in your lan.


Hmm ... The thing is if I set:

0::2 or fd00::2 it is set "scope global" in both cases.

5: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 08:00:27:aa:aa:aa brd ff:ff:ff:ff:ff:ff
    inet brd scope global dummy0
       valid_lft forever preferred_lft forever
    inet6 fd00::2/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::aaaa:aaaa:aaaa:aaaa/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

If I issue "ip a" after it takes some seconds (5+) to appear on the screen (like searching for something what is not there). This and "scope global" were the reason not using 0::2. For fd00 it is the same. oO

If i set to fe80 there is no delay and scope is set to "scope link" in any case.

I would expect at least scope local, link and/or host as a valid option. Something I'm doing wrong I think.

Device config looks like:

config interface 'loopback0'
        option ifname 'dummy0'
        option proto 'static'
        option ipaddr ''
        option ip6addr 'fd00::2/128'
        option netmask ''
        option macaddr '08:00:27:aa:aa:aa'

EDIT2: I've found the reason for the delay. I was setting netmask and /32. I think that solved it. But still "scope global" :confused:

1 Like

In my case it shows up immediately. As there is no dummy0 interface on my OpenWrt, I cannot test it.

What is your concern about scope global?
You won't get scope host from what I understand, as only ::1 address qualifies for that.

1 Like

According to RFC 4291 the loopback address has link-local scope. Where does the host scope come from?

The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
It may be used by a node to send an IPv6 packet to itself. It must
not be assigned to any physical interface. It is treated as having
Link-Local scope, and may be thought of as the Link-Local unicast
address of a virtual interface (typically called the "loopback
interface") to an imaginary link that goes nowhere.


ip -6 add sh dev lo


Is the host scope a Linux invention?

Y, was my fault. Did set a netmask for the device (which was the "usual" and wrong in this case) and did set /32 in addition.

Well it scared me a bit that a service running on this devices can (theoretically; I know we have a firewall) reach/route everything with this address if it is set to global (because it is valid everywhere). I have no real clue about IPv6. So I'm just carefull. So I would stick to fe80 to keep "scope local" I think.

Seems so.

If you don't advertise the address to neighbors, no one can reach it.


If the address is routable then the neightbors might reach it. All that's needed is a route. For example ::2 is routable in Linux, but fe80::2 isn't.

BTW using ::2 is broken, and if you use bird, the routing daemon. it fills the log with errors.

1 Like

It means the neighbor should know which random IP you are using for loop2 and create a static route via an interface of the router to reach the loop2. In the meantime if the neighbor can reach on physical interface, it means that you trust that neighbor. If you are not, you can block all traffic to the loop2 address.
I understand what you are saying and you could use a link local, but you are overcomplicating things and a ULA can work fine as well.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.