How to enable ipv6 privacy extensions?

Installing and Using OpenWrt Network and Wireless Configuration
1

System version: 18.06.03

Network card configuration information:

config interface 'lan'
  ...
  option type 'bridge'
  option ifname 'eth0.1'
  option proto 'static'
  option ip6ifaceid '::CB0:A0'
  ...

Currently, the IPv6-PD + fixed suffix method is used to configure the IPv6 address of the router's LAN interface through the above configuration. However, this interface has only one IPv6 public network address. Can OpenWRT enable the ipv6 privacy extensions mode like other Linux or Windows systems, so that the router LAN interface is configured with a temporary IPv6 address with a random suffix, and this is used when the router LAN interface is accessed externally. Temporary suffix address.

目前通过上述配置实现了 IPv6-PD + 固定后缀的方式配置路由器LAN接口的IPv6地址。但是这个接口只有一个IPv6公网地址,OpenWRT能不能像其他Linux或者是Windows系统一样开启 ipv6 privacy extensions 模式,让路由器LAN接口再配置一个随机后缀的临时IPv6地址,路由器LAN接口对外访问的时候使用这个临时后缀地址。

2
3

I didn't find any useful information! The problem on my side is: IPv6-PD + random (temporary address) and IPv6-PD + eui64 two addresses exist on the router's LAN interface at the same time, not one of the two or other machines on the LAN need to enable the IPv6 privacy extension .

我没有找到任何有用的信息!我这边的问题是: IPv6-PD + random (临时地址) 和 IPv6-PD + eui64 两个地址在路由器的LAN接口上同时存在,并不是二选一 也不是局域网的其他机器需要开启IPv6隐私扩展。

4

OK...

Well I used that to enable IPv6 privacy on my router.

Sorry it doesnt help you.

5

The page you provided has so much information that it's hard for me to get to the point.

/etc/sysctl.conf

net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2

Is it modified like this?

6

No, this:

/etc/sysctl.conf

net.ipv6.conf.default.stable_secret=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

and

screen24
screen24766×73 11.7 KB

1 Like
7

Oh, it's just modifying how the suffix is generated, which is really not what I need, thanks!

8

No - thats how to enable it.

You asked "how to enable IPv6 privacy extensions " - that's how it's enbaled.

1 Like
9

I am using a FritzBox 7430 box as a WLAN client in my LAN. I am getting IPv4 and IPv6 adresses from my internet router via DHCP / DHCPv6 client.

If have tried your suggestions, but nothing worked for me. I still got no privacy extension address:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc fq_codel state UNKNOWN qlen 1000
    link/ether 36:eb:d2:51:9a:38 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b822:ee31:5b58:c2c5/64 scope link flags 800 
       valid_lft forever preferred_lft forever
3: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 38:10:d5:46:b1:27 brd ff:ff:ff:ff:ff:ff
4: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 38:10:d5:46:b1:27 brd ff:ff:ff:ff:ff:ff
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 38:10:d5:46:b1:27 brd ff:ff:ff:ff:ff:ff
6: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 38:10:d5:46:b1:27 brd ff:ff:ff:ff:ff:ff
7: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:02:03:04:05:06 brd ff:ff:ff:ff:ff:ff
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 38:10:d5:46:b1:27 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.68/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd00::b822:ee31:5b58:c2c5/64 scope global dynamic noprefixroute 
       valid_lft 6930sec preferred_lft 3330sec
    inet6 2003:ea:a70a:e700:b822:ee31:5b58:c2c5/64 scope global dynamic noprefixroute 
       valid_lft 6930sec preferred_lft 1530sec
    inet6 fe80::b822:ee31:5b58:c2c5/64 scope link flags 800 
       valid_lft forever preferred_lft forever

cat /etc/sysctl.conf 
net.ipv6.conf.default.stable_secret=bcd5:da2f:69e4:65a2:1435:05c6:fe40:9864
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.br-lan.use_tempaddr = 2

I am not a networking expert, so maybe I did something wrong.
Can anybody help to get this running?

10

Did you add the random assignment to the desired network interface. Heres an example.

11

Thank you for your quick answer. I have to set your options in /etc/conf/network. Is this correct? What means <henet_interface_name>?

12

In your case, if not Hurricane Electric, you will pick the relevant interface you get IPs from. E.g. wan6

Adding local assigns the ULA.

13

But if you want to have local and global why don't just not have this setting at all? Default is afaik to have local and global assignment. And where do I find info on your proposed Syntax? Last time I checked the wiki there was no mention on an interface...

14

I'm not sure of your question, perhaps you were asking the poster who inquired. Here is a full example:

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option ip6ifaceid 'random'
        option device 'br-lan'
        list ip6class 'wan6'
        list ip6class 'local'

The sysctrl syntax should be available by reviewing any Linux manual.

15

As I said, my OpenWrt box is a client in my LAN, so it has no WAN connection. It gets IPv6 addresses via DHCPv6 from my internet router via LAN. The box has 4 switched ethernet ports. One is connected to my LAN. So I don't know what to specify with <henet_interface_name>.

16

Simple: lan (I assume that's the name of the interface, correct?)

What is the name of the interface you configured a DHCPv6 client attached to LAN?

:spiral_notepad: EDIT: That should exist if you have an address already.

Feel free to read the full thread (and others linked there) for more information.

17

If have tried the following in /etc/config/network:

config interface 'LAN6'
        option proto 'dhcpv6'
        option device 'br-lan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ip6assign '64'   
        option ip6ifaceid 'random'
        option ip6class 'LAN6 local'

I have got a new ULA address inet6 fd0b:9f32:d47:0:f175:3184:12a1:8109/64 but no privacy extension address.

18
  • Try as in the example
     option ip6class 'lan6'
     option ip6class 'local'

That seems like a privacy extension address to me (since I don't know your MAC or the original IP, I can't determine definitively. You added the sysctrl settings (as I noted in the thread) and rebooted, correct?

(The other ones you listed were unneeded.)

19

I have changed my config to

config interface 'LAN6'
        option proto 'dhcpv6'
        option device 'br-lan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option ip6assign '64'
        option ip6ifaceid 'random'
        option ip6class 'lan6'
        option ip6class 'local'

but still no success. And yes, I always did a reboot. And IPv6 addresses starting with fd... can not be routed into the internet. I need another address starting with 2003.... This is a routeable address which should be used to access the internet from my box. By the way: All my other LAN client hosts have two such addresses.

20

... you can see my sysctl settings in my first post.