Generating random IPv6 suffixes comparable to privacy extension [Solved]

Dear all,

Is there a way to generate random IPv6 suffixes in OpenWRT when using dhcp server or any mechanism to server IPv6 addresses to hosts. I would like to avoid using the same fixed IPv6 everytime I startup my computer.

I tried to implement privacy extensions in Debian client, but it did not work.

Kind regards,

What mechanism are you currently using to serve addresses? DHCP? Stateful/Stateless?

I really don't know. This is OpenWRT default installation.

https://openwrt.org/docs/guide-user/network/ipv6/start#protocol_static_with_ipv6

ip6ifaceid ipv6 suffix no ::1 Allowed values: 'eui64', 'random', fixed value like '::1:2'.

When IPv6 prefix (like 'a:b:c:d::') is received from a delegating server, use the suffix (like '::1') to form the IPv6 address ('a:b:c:d::1') for this interface. Useful with several routers in LAN. The option was introduced by this commit to netifd in Jan 2015.

2 Likes

Isn't that just for the IPv6 interface on the router? It won't have any effect on client devices.

OK, my router has a static IPv6, this is normal.
But how do I serve random IPv6 suffices to my clients on br-lan?

Use SLAAC and privacy extensions on the client.

1 Like

I don't know how to configure SLAAC and don't see any webpage on WIKI about SLAAC.

Yes, you are right.
As far as SLAAC is concerned, the hosts will create their own IPv6 from the prefix advertised in the RA.
So the other option is DHCPv6, where if you don't specify some hostid it will assign kind of randomly an IP

1 Like

It would be nice if a general SLAAC configuration was documented.

1 Like

I disabled dhcp assignment and enabled ra advertisement:

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ra 'server'

Still I am getting the same IPv6.

This works, disabling dhcpv6 and setting-up SLAAC made the trick.
These settings are correct and allow to generate a random IPv6 suffix.

Tested on Android and Debian GNU/Linux.

Under Debian GNU Linux, you need to set up privacy extensions to '2".
cat /etc/sysctl.conf
net.ipv6.conf.all.use_tempaddr = 2
The ipv6 is generated after each reboot.

Under Android, disconnecting and reconnecting to WIFI is enough to generate a new random IPv6 suffix.

and to generate the secret:

If you have a RNG, you can use the device /dev/hwrng instead.

Then on a Static Interface in /etc/config/network - I add:

option ip6ifaceid 'random'

EDIT: oh wow...no, the client has to have this enabled, I thought you meant the router

Thanks. I am using Network-manager in Debian GNU/Linux.
It does pick-up sysctl.conf setting.

So what are your settings for Debian, could you show your config files?

You are probably right I need a stable IPv6 for example when using wireguard.

head -c 16 /dev/urandom | hexdump -e '8/2 "%04x:" "\n"'| sed 's/.$//'
generates a full IPv6 address.

So I need to aggregage my prefix with the suffix of your command?

Setting this issue to solved.

:confused:

It's a HASH for the privacy secret...so your router will have a new IPv6 Privacy address on configured interfaces on every reboot.

It's not an IP in the example...I don't think you followed the instructions in that thread (probably because you were referring to privacy on the client).

Nonetheless, glad your issue is solved with a static IP address.

EDIT: I think it's extremely important to be clear - that command does not magically generate a valid IP address.. :warning:

You are right, disabling DHCPv6 and enabling SLAAC was the solution.

Which network manager service do you use on the client?