I've created a dummydevice to run on 127.1.1.1. I would like to know what is the correct way to setup an IPv6 address for it. Sth. like ::2 is not possible (just my first thought ). So I want to know what address is the best choice?
I've set it to fe80::2 for IPv6. My thinking is that I could choose any fe80 to keep it local. And I want to know if this is an issue in terms of security:
inet6 ::1/128 scope host
inet6 fe80::1/128 scope link
WWW is telling me:
Host: A route has host scope when it leads to a destination address on the local host.
Link: A route has link scope when it leads to a destination address on the local network.
But I don't really know if this could be a "problem". Am I right that I cannot have more than one device with "scope host"?
Just for completeness. I've set it up to run a second dnsmasq instance and stub resolver on it and to make firewalling more clearly for me. All is working fine.
There was some RFC draft for allocating a larger subnet for host addresses but it didn't pass eventually.
Most of the people suggest to use ULA for additional locahost IPv6 addresses.
Something like this:
config interface 'loop2'
option ifname '@loopback'
option proto 'static'
list ipaddr '127.0.0.2/32'
list ip6addr 'fd00::2/128'
It cannot be routed to the internet, it can however be routed in your lan.
0::2 or fd00::2 it is set "scope global" in both cases.
5: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 08:00:27:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 127.0.1.1/32 brd 255.255.255.255 scope global dummy0
valid_lft forever preferred_lft forever
inet6 fd00::2/128 scope global
valid_lft forever preferred_lft forever
inet6 fe80::aaaa:aaaa:aaaa:aaaa/64 scope link stable-privacy
valid_lft forever preferred_lft forever
If I issue "ip a" after it takes some seconds (5+) to appear on the screen (like searching for something what is not there). This and "scope global" were the reason not using 0::2. For fd00 it is the same. oO
If i set to fe80 there is no delay and scope is set to "scope link" in any case.
I would expect at least scope local, link and/or host as a valid option. Something I'm doing wrong I think.
According to RFC 4291 the loopback address has link-local scope. Where does the host scope come from?
The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
It may be used by a node to send an IPv6 packet to itself. It must
not be assigned to any physical interface. It is treated as having
Link-Local scope, and may be thought of as the Link-Local unicast
address of a virtual interface (typically called the "loopback
interface") to an imaginary link that goes nowhere.
Y, was my fault. Did set a netmask for the device (which was the "usual" 255.255.255.0 and wrong in this case) and did set /32 in addition.
Well it scared me a bit that a service running on this devices can (theoretically; I know we have a firewall) reach/route everything with this address if it is set to global (because it is valid everywhere). I have no real clue about IPv6. So I'm just carefull. So I would stick to fe80 to keep "scope local" I think.
It means the neighbor should know which random IP you are using for loop2 and create a static route via an interface of the router to reach the loop2. In the meantime if the neighbor can reach on physical interface, it means that you trust that neighbor. If you are not, you can block all traffic to the loop2 address.
I understand what you are saying and you could use a link local, but you are overcomplicating things and a ULA can work fine as well.