How to enable ipv6 privacy extensions?

Wait wait...I thought this looked wrong when I asked for the DHCPv6 and didnt see it. Try:

config interface 'lan6'
        option proto 'dhcpv6'
        option device 'br-lan'
        option ip6ifaceid 'random'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.68'
        option netmask '255.255.255.0'
        option device 'br-lan'
        option ip6assign '64'
        option ip6class 'local'
        option ip6ifaceid 'random'

(I"m not sure of the ULA part in this example - I'd have to test.)

:spiral_notepad: If your upstream is DHCPv6 and not SLAAC-only, I'm not sure how that'll work either.

... are you sure to use ipv6 settings in the ipv4 interface 'lan'?

  • That is the default (i.e. to put IPv6 assign, class, ifaceid, etc.) in the lan config.
  • You only need a lan6 when you IPv6 is coming from the same interface (or 1 or both are DHCP/DHCPv6 as in your instance)
  • I also noted:

/etc/config/network:

config interface 'lan6'
        option proto 'dhcpv6'
        option device 'br-lan'
        option ip6ifaceid 'random'

config interface 'lan'
        option proto 'dhcp'
        option device 'br-lan'
        option ip6assign '64'
        option ip6class 'local'
        option ip6ifaceid 'random'

/etc/sysctl.conf:

net.ipv6.conf.default.stable_secret=bcd5:da2f:69e4:65a2:1435:05c6:fe40:9864
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.br-lan.use_tempaddr = 2

Still no success.

Ip6class is no sysctl... And I have to admit I wrongly read the worng syntax from to the upper post... That's why I have ask: in OpenWrt you can set local or global for ip6class on an interface but no option ip6class '<ifname> [local|global]

Why do you have these?

Maybe you should explain - what are you expecting to see?

These extra settings you're making and didn't remove - make me think you want something different.

I still don't understand the question; and the syntax in your example seems incorrect. If I understand, you cannot use the syntax in your example.

I never said it was.

br-lan  Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::xxxx:xxxx:xxxx:xxxx/64 Scope:Link
          inet6 addr: fdxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 Scope:Global
          inet6 addr: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:240916191 errors:0 dropped:1975 overruns:0 frame:0
          TX packets:312156468 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:196958952494 (183.4 GiB)  TX bytes:267239576272 (248.8 GiB)

IPs change on each reboot and are random.

The use_tempaddr = 2 settings are the common way to enable the privacy extensions, see the posting from VxBox at the beginning of this thread.

I have got an IPv6 address from my router which can be used for internet access:

inet6 2003:ea:a70a:e700:b822:ee31:5b58:c2c5/64

The last 64 bits are randomly generated but they are static as long as the box gets no reboot (I think this is the result of option ip6ifaceid 'random'). The privacy extensions request a temporary address which changed after some time. This is not the case.

At all my other hosts in the LAN, two IPv6 addresses are generated, starting with 2003.... The last 64 bits of one address are constructed from the MAC address of the ethernet port. The last 64 bits of the other address are a result of the privacy extensions. For connections from box to internet always the second one is used. For connections from internet to box the first static one is used.

So I expected a second privacy extensions address.

Changed after "some time"?

What you describe is not what the RFCs say. Additionally, I don't know what you mean by "second".

https://www.rfc-editor.org/rfc/rfc4941#page-13

I do not recall how/if to make the address expire - which should do what you desire. Perhaps someone else can expound on that.

:warning: If that works, in your LAN case it may not matter, but it will affect services like DNS, etc. for those who use the device as a router.

For your information on https://en.wikipedia.org/wiki/IPv6:
"To address these privacy concerns, the SLAAC protocol includes what are typically called "privacy addresses" or, more correctly, "temporary addresses", codified in RFC 4941, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6".[22] Temporary addresses are random and unstable. A typical consumer device generates a new temporary address daily and will ignore traffic addressed to an old address after one week."

  • Yes, which means someone set them to "expire"
  • OpenWrt is a router, not a consumer device
  • I provided a direct link to RFC 4941 (so not sure why you quoted Wikipedia instead), feel free to review:

New temporary addresses are generated periodically
to replace temporary addresses that expire, with the exact time
between address generation a matter of local policy.

~ From RFC 4941

Putting a random IP on the lan interface itself does nothing for privacy since that IP is never used on the Internet. By default it is prefix::1 as is traditional for the router in a lan network.

The router's own IP to interact with the Internet (upgrades, DNS, NTP, etc) is the wan IP. I don't see a way to make that dynamically random, though you can use option ifaceid in a dhcpv6 configuration to use a static random suffix.

If set to use stateful DHCP and that is supported upstream, it will always use the address supplied from upstream. You can set to not request an IPv6 and use SLAAC but that may not play well with an upstream network that insists to know your router's IP for security.

1 Like

(it would keep a malicious app from recording it as its [outbound] path, and knowing your MAC) :wink:

But it seems this poster is not using the device as a router...